Skip to main content

Use Client Certificate Authentication with Java and RestTemplate

As a follow up of the http://gochev.blogspot.com/2019/04/convert-pfx-certificate-to-jks-p12-crt.html we now have a keystore and a truststore (if anyone needs) and we will use this keystore to send client side authentication using Spring's RestTemplate .

 First copy your keystore.jks and truststore.jks in your classpath, no one wants absolute paths right ?:)

 Again a reminder The difference between truststore and keystore if you are not aware is(quote from the JSSE ref guide): 
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.

 The magic happens in the creation of SSLContext. Keep in mind the Spring Boot have a nice RestTemplateBuilder but I will not gonna use it, because someone of you might have an older version or like me, might just use a plain old amazing Spring.

 If you just want to use the keystore:

 final String allPassword = "123456";
SSLContext sslContext = SSLContextBuilder
                .create()
                .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),
                                    allPassword.toCharArray(), allPassword.toCharArray())
                .build();

if you just want to use the truststore

final String allPassword = "123456";
SSLContext sslContext = SSLContextBuilder
                .create()
                .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
                .build();

I guess you know how to use both ;), if you want to IGNORE the truststore certificate checking and trust ALL certificates (might be handy for testing purposes and localhost)

final String allPassword = "123456";
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContextBuilder
                .create()
                .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
                .loadTrustMaterial(null, acceptingTrustStrategy) //accept all
                .build();


Ones you have the sslContext you simply do :

HttpClient client = HttpClients.custom()
                                .setSSLContext(sslContext)
                                .build();

 HttpComponentsClientHttpRequestFactory requestFactory =
                new HttpComponentsClientHttpRequestFactory();

 requestFactory.setHttpClient(client);

 RestTemplate restTemplate = new RestTemplate(requestFactory);

 return restTemplate;

And Voala, now each time you make a get/post or exchange with your restTemplate you will send the client side certificate.


Full example (the "tests" version) that sends client side certificate and ignores the SSL certificate







private RestTemplate getRestTemplateClientAuthentication()

                throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException,

                KeyStoreException, KeyManagementException {



    final String allPassword = "123456";

    TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

    SSLContext sslContext = SSLContextBuilder

                    .create()

                    .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"),

                                        allPassword.toCharArray(), allPassword.toCharArray())

//.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())

                    .loadTrustMaterial(null, acceptingTrustStrategy)

                    .build();



    HttpClient client = HttpClients.custom()

                                    .setSSLContext(sslContext)

                                    .build();



    HttpComponentsClientHttpRequestFactory requestFactory =

                    new HttpComponentsClientHttpRequestFactory();



    requestFactory.setHttpClient(client);



    RestTemplate restTemplate = new RestTemplate(requestFactory);



    return restTemplate;

}



Hope this is handy for someone :) Also this should be extremely handy if you integrate BNP Paribas Leasing : ) 












Labels:






































Comments








Post a Comment

















Popular posts from this blog



















Use Multiple JVM versions on Mac OS and Linux




























 Linux   Download multiple Java versions and put them into /opt/ If you already have some JDK from ubuntu repo or etc not a big deal, just fix the paths bellow    Register them as alternatives     sudo update-alternatives --install /usr/bin/java java /opt/java-8-oracle/bin/java 1081    sudo update-alternatives --install /usr/bin/java java /opt/sap-machine-jdk-11.0.3/bin/java 1080     Edit your ~/.bashrc file     alias java11='sudo update-alternatives --set java /opt/sapmachine-jdk-11.0.3/bin/java;export JAVA_HOME=/opt/sapmachine-jdk-11.0.3/'   alias java8='sudo update-alternatives --set java /opt/java-8-oracle/bin/java;export JAVA_HOME=/usr/lib/java-8-oracle/'     SAVE and start a new bash terminal    execute   java8  to use java8    java11  to use java11   the latest version you have set stays as system wide, but the JAVA_HOME is not :( you can put java8 or java11 as a last line in the bashrc but since it is sudo it will always require password when start and is not gr...




















Post a Comment









Read more




























Hibernate Generic DAO.




























When you use Hibernate and DAO pattern it is a good idea to use a Generic Base Dao. The fallowing code snippet contains GenericDAO that is a base class for all my DAO classes. This GenericDAO uses HibernateDaoSupport from Spring for its implementation if you want you can use JpaDaoSupport or JdbcDaoSupport in your projects.   My Generic DAO interface looks like this :       package  org.joke.myproject.dao.base;         import  java.io.Serializable;     import  java.util.List;     /**     * @author  Naiden  Gochev     * @param  <E>     * @param  <PK>     */     public  interface  GenericDao<E,PK  extends  Serializable> {         PK save(E newInstance);         void  update(E transientObject);         void  saveOrUpdate(E transientObject);         void  delete(E persistentObject);         E findById(PK id);         List<E> findAll();         List<E> f...




















10 comments









Read more






























Patching a Maven library with your custom class.




























Sometimes you use a library that has a bug. Or maybe it doesn’t has a bug but you want to change something. Of course if it is an open source you can get the sources… build them … with your change and so on. However this first takes a lot of time and second you need the sources.  What you usually want .. is to just replace one class.. or few classes with something custom… maybe add a line .. or remove a line and so on.  Yesterday… I had an issue with jboss-logging. The version I was using was 3.2.0Beta1 and it turns out that using this version and log4j2 2.0 final basically meant that no log is send to log4j2. The reason was a null pointer exception that was catched in jboss logging class called Log4j2Logger. The bug I submitted is here https://issues.jboss.org/browse/JBLOGGING-107  and it was fixed at the same day. However I will use it as an example since I didn’t knew when this will be fixed.. and I didn’t want to wait till it is fixed.  So I was thinking what I want.. to take the j...




















Post a Comment









Read more