WebClient Timeouts and SSL Configuration are incompatible

[jjoslet]

I followed the Spring Boot and Spring Framework documentations to configure a WebClient with Spring Boot 3.1.1.

I have

• configured the SSL following https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#io.rest-client.webclient.ssl
• configured timeouts following https://docs.spring.io/spring-framework/reference/web/webflux-webclient/client-builder.html#webflux-client-builder-reactor-timeout

These configurations are incompatible since they both set the ClientHttpConnector on the WebClient.Builder; the second configuration overrides the first one.

Here is a small application to reproduce:

@SpringBootApplication(proxyBeanMethods = false)
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}
	
	@Bean
	WebClient webClient(WebClient.Builder builder, WebClientSsl ssl) {
		HttpClient httpClient = HttpClient.create()
			.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 1);
	
		return builder
			.clientConnector(new ReactorClientHttpConnector(httpClient)) // TIMEOUT
			.apply(ssl.fromBundle("demobundle")) // SSL
			.build();
	}
	
	@Bean
	ApplicationRunner runner(WebClient webClient) {
		return new ApplicationRunner() {
			@Override
			public void run(ApplicationArguments args) throws Exception {
				webClient.head()
					.uri("https://www.google.com")
					.exchangeToMono(r -> Mono.just(r.statusCode()))
					.doOnSuccess(System.out::println)
					.block();
			}
		};
	}
}

with the following properties:

spring.ssl.bundle.pem.demobundle.key.password=password
spring.ssl.bundle.pem.demobundle.key.alias=alias

In that situation, a timeout does not occur but if I switch // TIMEOUT with // SSL lines, a timeout will occur but SSL is no more configured.

I didn't find a proper way to configure this without recreating the full SSL configuration in my application.

[ramanpopli]

Is someone working on it . I would like to contribute on this , but I would request if I can get little more overview on this .

[wilkinsona]

Thanks for the offer, @ramanpopli. If you’d like to work on an issue where we provide some guidance, please watch for one labelled as ideal for contribution or, if you haven’t contributed before, first-timers only.

[mhalbritter]

If we would make the org.springframework.boot.autoconfigure.web.reactive.function.client.ReactorClientHttpConnectorFactory.SslConfigurer public API and add a static method to it:

public static HttpClient applyBundle(SslBundle sslBundle, HttpClient httpClient) {
  return new SslConfigurer(sslBundle).configure(httpClient);
}

then we could workaround that problem with:

HttpClient httpClient = HttpClient.create().option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 1);
httpClient = SslConfigurer.applyBundle(sslBundles.getBundle("demobundle"), httpClient); // SSL
WebClient webClient = builder
  .clientConnector(new ReactorClientHttpConnector(httpClient)) // TIMEOUT
  .build();

(SslBundles can be injected, too)

[eloo-abi]

any updates here?

[mhalbritter]

No.

[eloo-abi]

okay..
we have found a workaround/solution maybe
maybe this can be verified if this would be a proper way to configure it?

    @Bean
    ReactorNettyHttpClientMapper reactorNettyHttpClientMapper() {
        return httpClient -> httpClient
            .responseTimeout(webClientProperties.http.responseTimeoutInMs)
            .option(CONNECT_TIMEOUT_MILLIS, (int) webClientProperties.http.connectTimeoutInMs.toMillis());
    }

but i'm not sure if this fits all purposes as this is "globally" then and will also affect nonssl webclients as well

[kzander91]

okay.. we have found a workaround/solution maybe maybe this can be verified if this would be a proper way to configure it?

    @Bean
    ReactorNettyHttpClientMapper reactorNettyHttpClientMapper() {
        return httpClient -> httpClient
            .responseTimeout(webClientProperties.http.responseTimeoutInMs)
            .option(CONNECT_TIMEOUT_MILLIS, (int) webClientProperties.http.connectTimeoutInMs.toMillis());
    }

but i'm not sure if this fits all purposes as this is "globally" then and will also affect nonssl webclients as well

You're right in that this would be global, affecting all auto-configured WebClient.Builders. I'm in a similar situation to OP in that I have a specific WebClient that I want to apply WebClientSsl to and configure it to use a proxy server.

In my application I have several other services I need to call and the corresponding WebClient instances need to be configured without proxy, so a global configuration via ReactorNettyHttpClientMapper doesn't work for me...