Course – LS – All

Get started with Spring and Spring Boot, through the Learn Spring course:

>> CHECK OUT THE COURSE

1. Overview

In this tutorial, we’ll explore using Java HttpClient to connect to HTTPS URLs. We’ll also learn how to use the client with URLs that don’t have a valid SSL certificate.

In older versions of Java, we preferred to use libraries like Apache HTTPClient and OkHttp to connect to a server. In Java 11, an improved HttpClient library was added to the JDK.

Let’s explore how to use it to call a service over SSL.

2. Calling an HTTPS URL Using the Java HttpClient

We’ll use test cases to run the client code. For testing purposes, we’ll use an existing URL that runs on HTTPS.

Let’s write code to set up the client and call the service:

HttpClient httpClient = HttpClient.newHttpClient();
    
HttpRequest request = HttpRequest.newBuilder()
  .uri(URI.create("https://www.google.com/"))
  .build();

HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());

Here, we first created a client using the HttpClient.newHttpClient() method. Then, we created a request and set the URL of the service we’re going to hit. Finally, we sent the request using the HttpClient.send() method and collected the response – a HttpResponse object containing the response body as a String.

When we put the above code in a test case and perform the below assertion, we’ll observe that it passes:

assertEquals(200, response.statusCode());

3. Calling an Invalid HTTPS URL

Now, let’s change the URL to another one that doesn’t have a valid SSL certificate. We can do so by changing the request object:

HttpRequest request = HttpRequest.newBuilder()
  .uri(new URI("https://wrong.host.badssl.com/"))
  .build();

When we run the test again, we get the below error:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching wrong.host.badssl.com found.
  at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
  at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)

This is because the URL doesn’t have a valid SSL certificate.

4. Bypassing SSL Certificate Verification

4.1. Using Mock Trust Manager

In order to skip the validation done automatically by the HttpClient we can extend the default X509ExtendedTrustManager object, which is the class that is in charge of checking the validity of the SSL certificate, overriding the default business logic with empty methods:

private static final TrustManager MOCK_TRUST_MANAGER = new X509ExtendedTrustManager() {
   @Override
   public java.security.cert.X509Certificate[] getAcceptedIssuers() {
       return new java.security.cert.X509Certificate[0];
   }

   @Override
   public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
       // empty method
   }
   // ... Other void methods
}

We also need to provide the new TrustManager implementation to our HttpClient instance. To do this, we firstly create a new SSLContext instance of the HTTPClient, then we init the object passing null as the KeyManager list, the just created TrustManager in an array, and a new instance of SecureRandom class (a random number generator):

SSLContext sslContext = SSLContext.getInstance("SSL"); // OR TLS
sslContext.init(null, new TrustManager[]{DUMMY_TRUST_MANAGER}, new SecureRandom());

Let’s now use this actualized SSLContext to build our now well-behaving HttpClient:

HttpClient httpClient = HttpClient.newBuilder().sslContext(sslContext).build();

Now we can call any URL that does not have a valid certificate to get anyway a successful response:

HttpRequest request = HttpRequest.newBuilder()
            .uri(new URI("https://wrong.host.badssl.com/"))
            .build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
Assertions.assertEquals(200, response.statusCode())

In the next paragraph, we will see another way we can achieve the same result with a JVM flag that will disable the Certificate verification for every HttpClient request.

4.2. Using JVM Disable Hostname Verifier Flag

As the last option to resolve the error we got above, let’s look at a solution to bypass SSL certificate verification.

In Apache HttpClient, we could modify the client to bypass certificate verification. However, we can’t do that with the Java HttpClient. We’ll have to rely on making changes to the JVM to disable hostname verification.

One way to do this is to import the website’s certificate into the Java KeyStore. This is a common practice and is a good option if there are a small number of internal, trusted websites.

However, this can become tiresome if there are a large number of websites or too many environments to manage. In this case, we can use the property jdk.internal.httpclient.disableHostnameVerification to disable hostname verification.

We can set this property when running the application as a command-line argument:

java -Djdk.internal.httpclient.disableHostnameVerification=true -jar target/java-httpclient-ssl-0.0.1-SNAPSHOT.jar

Alternatively, we can programmatically set this property before creating our client:

Properties props = System.getProperties();
props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());

HttpClient httpClient = HttpClient.newHttpClient();

When we run the test now, we’ll see that it passes.

We should note that changing the property would mean that certificate verification is disabled for all requests. This may not be desirable, especially in production. However, it’s common to introduce this property in non-production environments.

5. Can We Use Java HttpClient With Spring?

Spring provides two popular interfaces to make HTTP requests:

  • RestTemplate for synchronous requests
  • WebClient for synchronous and asynchronous requests

Both can be used along with popular HTTP clients such as Apache HttpClient, OkHttp, and the old HttpURLConnection. However, we can’t plug Java HttpClient into these two interfaces. It’s rather seen as an alternative to them.

We can use Java HttpClient to make synchronous and asynchronous requests, convert requests and responses, add timeouts, etc. Therefore, it can be utilized directly without needing Spring’s interfaces.

6. Conclusion

In this article, we explored how to use the Java HTTP Client to connect to a server that requires SSL. We also looked at ways to use the client with URLs that don’t have a valid certificate.

As always, the code for these examples is available on GitHub.

Course – LS – All

Get started with Spring and Spring Boot, through the Learn Spring course:

>> CHECK OUT THE COURSE
res – REST with Spring (eBook) (everywhere)
Comments are closed on this article!