In the android application, you need to make a post-request to the server.

A piece of code from the server application

@RequestMapping(value = "/passwordRecovery", method = RequestMethod.POST) @ResponseBody public BackendData passwordRecovery(HttpServletRequest request, @RequestParam(value = "email", required = false) String email) {... }

Android application:

 public interface APIService { @GET("mobile") Call<String> getIdUser(@QueryMap Map<String, String> map); @GET("mobile") Call<List<CameraSmallDTO>> getCamList(@QueryMap Map<String, String> map); @FormUrlEncoded @POST("http://192.168.1.243:8080/backend/passwordRecovery") Call<BackendData> passwordRecovery(@Field("email") String email);

}

 public class APIServiceImpl { public static final String API_BASE_URL = "http://192.168.1.243/"; private static OkHttpClient.Builder httpClient = new OkHttpClient.Builder(); private static Retrofit.Builder builder = new Retrofit.Builder() .baseUrl(API_BASE_URL) .addConverterFactory(JacksonConverterFactory.create()); public static <S> S createService (Class<S> serviceClass){ Retrofit retrofit = builder.client(httpClient.build()).build(); return retrofit.create(serviceClass); } private APIServiceImpl (){}

}

 public void passRecovery(View view){ APIService apiService = APIServiceImpl.createService(APIService.class); Call<BackendData> call = apiService.passwordRecovery(loginEditText.getText().toString()); try { backendData = new PassRec().execute(call).get(); }catch (Exception e){ Logger.printStackTrace(e); } if (backendData.isSuccess()){ Toast toast = Toast.makeText(getApplicationContext(), "Вам выслано письмо на почту", Toast.LENGTH_LONG); toast.show(); Intent intent = new Intent(getApplicationContext(), LoginActivity.class); startActivity(intent); } } private class PassRec extends AsyncTask<Call, Void, BackendData> { @Override protected BackendData doInBackground(Call... params) { try { Call<BackendData> call = params[0]; Response<BackendData> response = call.execute(); return response.body(); } catch (IOException e) { Logger.printStackTrace(e); return BackendData.error("error"); } } }

As a result, during the query comes the line:

 Response{protocol=http/1.1, code=403, message=Forbidden, url=http://192.168.1.243:8080/backend/passwordRecovery}

In the config of the spring on the server csrf is enabled, you do not want to disable it, how to defeat this token?

    1 answer 1

    If I understand the question correctly, here an unauthorized user tries to send a POST request. Turn off the CSRF for a specific request:

     http .csrf() .ignoringAntMatchers("/passwordRecovery/**") .and() ...