{"id":23080682,"url":"https://github.com/chen0040/spring-security-csrf-android-demo","last_synced_at":"2025-08-15T22:31:17.024Z","repository":{"id":48242329,"uuid":"97670714","full_name":"chen0040/spring-security-csrf-android-demo","owner":"chen0040","description":"Demo on how to communicate android with spring security and CSRF enabled","archived":false,"fork":false,"pushed_at":"2017-12-10T08:10:29.000Z","size":842,"stargazers_count":6,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-02-26T11:02:55.708Z","etag":null,"topics":["android","java-client","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chen0040.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-07-19T03:53:54.000Z","updated_at":"2021-04-22T13:59:57.000Z","dependencies_parsed_at":"2022-08-24T20:51:10.417Z","dependency_job_id":null,"html_url":"https://github.com/chen0040/spring-security-csrf-android-demo","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chen0040%2Fspring-security-csrf-android-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chen0040%2Fspring-security-csrf-android-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chen0040%2Fspring-security-csrf-android-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chen0040%2Fspring-security-csrf-android-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chen0040","download_url":"https://codeload.github.com/chen0040/spring-security-csrf-android-demo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229964387,"owners_count":18152034,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","java-client","spring-security"],"created_at":"2024-12-16T13:16:02.710Z","updated_at":"2024-12-16T13:16:03.381Z","avatar_url":"https://github.com/chen0040.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spring-security-csrf-android-demo\n\nThis project contains demo codes on how to communicate an android project with a spring boot application that has spring security and CSRF enabled.\n\n# Features\n\n* Simple spring boot web application with spring security and CSRF enabled\n* Java client to authenticate and communicate with the spring boot web application\n* Android client to authenticate and communicate with the spring boot web application\n\n# Spring Security\n\n### spring-boot-application with spring security and CSRF enabled\n\nTo use this project create a database named spring_boot_slingshot in your mysql database (make sure it is running at localhost:3306)\n\n```sql\nCREATE DATABASE spring_boot_slingshot CHARACTER SET utf8 COLLATE utf8_unicode_ci;\n```\n\nNote that the default username and password for the mysql is configured to \n\n* username: root\n* password: chen0469\n\nIf your mysql or mariadb does not use these configuration, please change the settings in src/resources/config/application-default.properties\n\nFor the spring security configuration, the CSRF is enabled. The configuration in the spring-boot-application as follows:\n\n```java\nhttp\n.authorizeRequests()\n.antMatchers(\"/js/client/**\").hasAnyRole(\"USER\", \"ADMIN\")\n.antMatchers(\"/js/admin/**\").hasAnyRole(\"ADMIN\")\n.antMatchers(\"/admin/**\").hasAnyRole(\"ADMIN\")\n.antMatchers(\"/erp/login-api-json\").permitAll()\n.antMatchers(\"/html/**\").hasAnyRole(\"USER\", \"ADMIN\")\n.antMatchers(\"/js/commons/**\").permitAll()\n.antMatchers(\"/css/**\").permitAll()\n.antMatchers(\"/jslib/**\").permitAll()\n.antMatchers(\"/webjars/**\").permitAll()\n.antMatchers(\"/bundle/**\").permitAll()\n.antMatchers(\"/locales\").permitAll()\n.antMatchers(\"/locales/**\").permitAll()\n.anyRequest().authenticated()\n.and()\n.formLogin()\n.loginPage(\"/login\")\n.defaultSuccessUrl(\"/home\")\n.successHandler(authenticationSuccessHandler)\n.permitAll()\n.and()\n.logout()\n.permitAll()\n.and()\n.csrf()\n.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());\n```\n\nwhich can be found in the com.github.chen0040.bootslingshot.configs.WebSecurityConfig\n\n### principle behind restful login to spring-boot-application\n\nThe web login api can be found in the com.github.chen0040.bootslingshot.controllers.WebApiController. which consists\n of GET and POST api for the same url \"/erp/login-api-json\".\n \nAny client which wants to authenticate with the spring security in spring-boot-application can first call\n\nGET: http://localhost:8080/erp/login-api-json\n\nthis will return a json object containing a valid csrf token YOUR_CSRF_TOKEN, the same client can then post to the same url:\n\nPOST: http://localhost:8080/erp/login-api-json\n\nwith the following headers:\n\n* _csrf: YOUR_CSRF_TOKEN\n* Cookie: XSRF-TOKEN=YOUR_CSRF_TOKEN\n* X-XSRF-TOKEN: YOUR_CSRF_TOKEN \n\nIf login is successful, you can find the response json object has authenticated set to true.\nBy examining the Set-Cookie header of the POST response, you should be able to extract the JSESSIONID=YOUR_SESSION_ID.\n\nNow after login is successful, you can access the spring security protected api by adding the following in the header:\n\n* _csrf: YOUR_CSRF_TOKEN\n* Cookie: XSRF-TOKEN=YOUR_CSRF_TOKEN;JSESSIONID=YOUR_SESSION_ID\n* X-XSRF-TOKEN: YOUR_CSRF_TOKEN \n\n\n# Usage\n\n### Spring Server\n\nRun the \"./make.ps1\" (windows environment) and \"./make.sh\" (unix environment). which will compile and stores the built\njars in the \"bin\" folder.\n\n* spring-boot-application: the spring boot application that has csrf-enabled spring security configuration\n\n```bash\njava -jar bin/spring-boot-application.jar\n```\n\nThis will start the spring-boot-application that is at http://localhost:8080\n\nThe application can be authenticated using any one of the accounts below:\n\nADMIN:\n\n* username: admin\n* password: admin\n\nDEMO:\n\n* username: demo\n* password: demo\n\nIn the following instructions, http://localhost:8080/users/get-account is an url that requires authentication.\n\n### Java Client\n\nThe following are the excerpt from spring-boot-java-client unit test to show how to login to the spring-boot-application:\n\n```java\nSpringBootClient client = new SpringBootClient();\nSpringIdentity identity = client.login(\"http://localhost:8080/erp/login-api-json\", \"admin\", \"admin\");\n\nSystem.out.println(JSON.toJSONString(identity, SerializerFeature.PrettyFormat));\nSystem.out.println(client.getSecured(\"http://localhost:8080/users/get-account\"));\n```\n\n### Android Client\n\nThe following are the excerpt from spring-boot-android-client unit test to show how to login to the spring-boot-application:\n\n```bash\nSpringBootClient client = new SpringBootClient();\n\nSpringIdentity identity = client.login(\"http://localhost:8080/erp/login-api-json\", \"admin\", \"admin\");\n\nSystem.out.println(JSON.toJSONString(identity, SerializerFeature.PrettyFormat));\nSystem.out.println(client.getSecured(\"http://localhost:8080/users/get-account\"));\n```\n\n\n\n\n\n\n\n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchen0040%2Fspring-security-csrf-android-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchen0040%2Fspring-security-csrf-android-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchen0040%2Fspring-security-csrf-android-demo/lists"}