How to configure Spring Boot app to accept unknown SSL client certificate?

Question

I created a Spring Boot 2 app with 2-way SSL auth.
In short, it boils down to the following config:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
                .and().x509();
    }

The app has keystore/truststore and it works fine with an imported client cert.
Unexpectedly, If I try to connect with an unknown client cert, the connection is not established due to the SSL handshake failure.

However, I would like to reach the application layer even if the cert is not accepted and respond with an HTTP response from the application.

Is there any way to achieve this?

Answer 1

Answering my own question: I could have used Spring Boot property

server.ssl.client-auth: want

instead of

server.ssl.client-auth: need

The first option still allows to connect to tomcat even if the cert is not valid or not present. Then the request will be rejected by security filters.

Answer 2

If don’t need certificate handshake at server side, that means, you don’t need SSL. Thus, deactivate it in your configuration file:

server:
  ssl:
     enabled: false

PS: Exposing your REST webservice in HTTP protocol only is hazardous. Maybe, that makes sense to have such configuration in your development environment.