loading...

Use Client Certificate Authentication with Java and RestTemplate

gochev profile image Nayden Gochev Updated on ・2 min read

As a follow up of the Convert PFX certificate to JKS, P12, CRT we now have a keystore and a truststore (if anyone needs) and we will use this keystore to send client side authentication using Spring’s RestTemplate.

First copy your keystore.jks and truststore.jks in your classpath, no one wants absolute paths right ?:)
Again a reminder The difference between truststore and keystore if you are not aware is(quote from the JSSE ref guide):
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.

The magic happens in the creation of SSLContext. Keep in mind the Spring Boot have a nice RestTemplateBuilder but I will not gonna use it, because someone of you might have an older version or like me, might just use a plain old amazing Spring.

If you just want to use the keystore:

final String allPassword = "123456";
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),
allPassword.toCharArray(), allPassword.toCharArray())
.build();

if you just want to use the truststore

final String allPassword = "123456";
SSLContext sslContext = SSLContextBuilder
.create()
.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
.build();

I guess you know how to use both ;), if you want to IGNORE the truststore certificate checking and trust ALL certificates (might be handy for testing purposes and localhost)

final String allPassword = "123456";
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContextBuilder
.create()
.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
.loadTrustMaterial(null, acceptingTrustStrategy) //accept all
.build();

Ones you have the sslContext you simply do :

HttpClient client = HttpClients.custom()
 .setSSLContext(sslContext)
 .build();
HttpComponentsClientHttpRequestFactory requestFactory =
 new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(client);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;

And Voala, now each time you make a get/post or exchange with your restTemplate you will send the client side certificate.
Full example (the “tests” version) that sends client side certificate and ignores the SSL certificate.

private RestTemplate getRestTemplateClientAuthentication()
 throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException,
 KeyStoreException, KeyManagementException {
final String allPassword = "123456";
 TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
 SSLContext sslContext = SSLContextBuilder
 .create()
 .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),
 allPassword.toCharArray(), allPassword.toCharArray())
//.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
 .loadTrustMaterial(null, acceptingTrustStrategy)
 .build();
HttpClient client = HttpClients.custom()
 .setSSLContext(sslContext)
 .build();
HttpComponentsClientHttpRequestFactory requestFactory =
 new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(client);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
}

Discussion

pic
Editor guide
Collapse
abhishekhsoni profile image
abhishekhsoni

HI,

This is working fine when I used @Autowire RestTemplate. However, when using oauth2 from spring-security, the rest template is not picking up the certificate configured in the configuration class. Because of this unavailability of the certificate, I am unable to exchange tokens from the authorization server which is outside my network. COuld you please help me to resolve it?

Collapse
united_madrid profile image
sayal adhikari

you are my savior sir. I just figured out my silly mistake and my problem is gone. Cheers