If you are using @annotations, and the jsp view like this:
<form:form id="profileForm" action="profile?id=${param.id}" method="POST"
modelAttribute="appUser" enctype="multipart/form-data" >
...
<input type="file" name="file">
...
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
</form:form>
this may help:
AppConfig.java :
@EnableWebMvc
@Configuration
@Import({ SecurityConfig.class })
public class AppConfig {
@Bean(name = "filterMultipartResolver")
public CommonsMultipartResolver filterMultipartResolver() {
CommonsMultipartResolver filterMultipartResolver = new CommonsMultipartResolver();
filterMultipartResolver.setDefaultEncoding("utf-8");
// resolver.setMaxUploadSize(512000);
return filterMultipartResolver;
}
...
The SecurityConfig.java extends WebSecurityConfigurerAdapter and is the configuration for SpringSecurity
The multipart/form-data filter (MultipartFilter) needs to be registered before the SecurityConfig that enables the CSRF. You can do it with this:
SecurityInitializer.java:
public class SecurityInitializer extends
AbstractSecurityWebApplicationInitializer {
@Override
protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
super.beforeSpringSecurityFilterChain(servletContext);
// CSRF for multipart form data filter:
FilterRegistration.Dynamic springMultipartFilter;
springMultipartFilter = servletContext.addFilter(
"springMultipartFilter", new MultipartFilter());
springMultipartFilter.addMappingForUrlPatterns(null, false, "/*");
}
}