Spring Security 3.2, CSRF and multipart requests

Question

This question is in relation to the question at this url Spring Security 3.2 CSRF support for multipart requests

I tried this exact same setup as well as the gist but I cannot get this to work unless I have the _csrf token in the url. I had it in the form body as a hidden field and had the filter specified before the security filter but with no joy and it failed every time with the debug log message of an invalid csrf token

Any help on this would be greatly appreciated

Cheers Damien

Answer 1

It would have been very hard to find without the gist but I finally got it !

In fact it has nothing to do with Spring security. The real problem was only in SpringFramework multipart configuration. But because of it, the request appeared to have no parameter at all (neither _csrf, nor file) and the first to detect it was CsrfFilter. I removed everything about security, and the error was Requested parameter file absent (or something like it ...)

As detailed in Spring Framework manual, multipart can be handled in 2 ways:

• using Apache commons fileupload

• using servlet 3.0 configuration

  1. You followed first solution of the related post and configured a CommonsMultipartResolver in mvc-dispatcher-servlet.xml. The first problem is that the MultipartFilter is related to the global ServletContext and looks for its MultipartResolver in root application context not in servlet specific context.

  The second problem it that you forgot to add a dependancy on Apache commons fileupload in your pom.xml.

  So you must first add this dependancy in your pom.xml

  <dependency>
      <groupId>commons-fileupload</groupId>
      <artifactId>commons-fileupload</artifactId>
      <version>1.3.1</version>
  </dependency>
  

  Next you must remove the filterMultipartResolver bean from mvc-dispatcher-servlet.xml and declare it in root application context. As a quick and dirty fix, you can add it into spring-security.xml :

  <beans:bean id="filterMultipartResolver"
        class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
      <beans:property name="maxUploadSize" value="100000000" />
  </beans:bean>
  

  2. An alternative configuration would have been to use the multipart handling of servlet 3.0. No need to depend on apache commons fileupload, nor to add any bean to the configuration, because MultipartFilter uses a StandardServletMultipartResolver as a default.

  You simply need to add a <multipart-config> element in the declaration of the DispatcherServlet in web.xml

  <servlet>
      <servlet-name>dispatcher</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <multipart-config>
          <!--location>/tmp</location-->
          <max-file-size>1000000</max-file-size>
      </multipart-config>
  </servlet>