Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Use Client Certificate Authentication With Java and RestTemplate

DZone 's Guide to

Use Client Certificate Authentication With Java and RestTemplate

Learn more about client certification authentication with Java and Spring's RestTemplate.

· Security Zone ·
Free Resource

As a follow up of the http://gochev.blogspot.com/2019/04/convert-pfx-certificate-to-jks-p12-crt.html, we now have a keystore and a truststore (if anyone needs). And, we will use this keystore to send client-side authentication using Spring's RestTemplate.

First, copy your keystore.jks and truststore.jks in your classpath; no one wants absolute paths, right?

According to the JSSE reference guide from Oracle, the difference between truststore and keystore, in case you are not aware, is:

TrustManager: Determines whether the remote authentication credentials (and thus, the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.

The magic happens in the creation of SSLContext. Keep in mind that Spring Boot has a nice RestTemplateBuilder, but I will not use it because someone might have an older version or, like me, might just use plain, old, amazing Spring.

If you just want to use the keystore:

final String allPassword = "123456";

SSLContext sslContext = SSLContextBuilder

                .create()

                .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),

                                    allPassword.toCharArray(), allPassword.toCharArray())

                .build();


Or, if you just want to use the truststore:

final String allPassword = "123456";

SSLContext sslContext = SSLContextBuilder

                .create()

                .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())

                .build();


I guess you know how to use both if you want to IGNORE the truststore certificate checking and trust ALL certificates (might be handy for testing purposes and localhost)

final String allPassword = "123456";

TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

SSLContext sslContext = SSLContextBuilder

                .create()

                .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())

                .loadTrustMaterial(null, acceptingTrustStrategy) //accept all

                .build();


Once you have the sslContext, you simply:

HttpClient client = HttpClients.custom()

                                .setSSLContext(sslContext)

                                .build();



HttpComponentsClientHttpRequestFactory requestFactory =

                new HttpComponentsClientHttpRequestFactory();



requestFactory.setHttpClient(client);



RestTemplate restTemplate = new RestTemplate(requestFactory);


And voila, now, each time you make a get/post or exchange with your restTemplate, you will send the client-side certificate.

Full example (the "tests" version) that sends the client-side certificate and ignores the SSL certificate

private RestTemplate getRestTemplateClientAuthentication()

                throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException,

                KeyStoreException, KeyManagementException {



    final String allPassword = "123456";

    TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

    SSLContext sslContext = SSLContextBuilder

                    .create()

                    .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),

                                        allPassword.toCharArray(), allPassword.toCharArray())

//.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())

                    .loadTrustMaterial(null, acceptingTrustStrategy)

                    .build();



    HttpClient client = HttpClients.custom()

                                    .setSSLContext(sslContext)

                                    .build();



    HttpComponentsClientHttpRequestFactory requestFactory =

                    new HttpComponentsClientHttpRequestFactory();



    requestFactory.setHttpClient(client);



    RestTemplate restTemplate = new RestTemplate(requestFactory);



    return restTemplate;

}


Hope this comes in handy for someone!

Topics:
java ,truststore ,keystore ,tutorial ,security ,authentication ,client side ,client certification ,client certificate authentication

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}