Spring Security 3.2 CSRF support for multipart requests

by

I was able to resolve this with help from the Spring Security team. I have updated the Gist to reflect a working configuration. I had to follow the steps given below in order to get everything to work as expected.

1. Common Step

Add a MultipartFilter to web.xml as described in the answer by @holmis83, ensuring that it is added before the Spring Security configuration:

<filter>
    <display-name>springMultipartFilter</display-name>
    <filter-name>springMultipartFilter</filter-name>
    <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>springMultipartFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <display-name>springSecurityFilterChain</display-name>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>ERROR</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

2.1. Using Apache Commons Multipart Resolver

Ensure that there is an Apache Commons Multipart Resolver bean named filterMultipartResolver in the root Spring application context. I will stress this again, make sure that the Multipart Resolver is declared in the root Spring Context (usually called applicationContext.xml). For example,

web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        classpath*:springWebMultipartContext.xml
    </param-value>
</context-param>

springWebMultipartContext.xml

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <property name="maxUploadSize" value="100000000" />
    </bean>
</beans>

Make sure that the bean is called filterMultipartResolver as any other bean name is not picked up by MultipartFilter configured in web.xml. My initial configuration was not working because this bean was named multipartResolver. I even tried passing the bean name to MultipartFilter using web.xml init-param but that did not work either.

2.2. Using Tomcat Multipart support

Tomcat 7.0+ has in-built multipart support, but it has to be explicitly enabled. Either change the global Tomcat context.xml file as follows or include a local context.xml file in your WAR file for this support to work without making any other changes to your application.

<Context allowCasualMultipartParsing="true">
    ...
</Context>

After these changes using Apache Commons Multipart Resolver our application is working so far on Tomcat, Jetty and Weblogic.

More Related Contents:

  1. Spring Boot Security CORS
  2. Handle spring security authentication exceptions with @ExceptionHandler
  3. How do I get the Session Object in Spring?
  4. Spring Boot CORS filter – CORS preflight channel did not succeed
  5. Spring Security exclude url patterns in security annotation configurartion
  6. Spring CSRF token does not work, when the request to be sent is a multipart request
  7. Spring Security configuration: HTTP 403 error
  8. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  9. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  10. Multiple antMatchers in Spring security
  11. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  12. Spring Security 3.2 CSRF disable for specific URLs
  13. With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs
  14. Looking for a Simple Spring security example [closed]
  15. Spring security 4 custom login j_spring_security_check return http 302
  16. Is it possible to invalidate a spring security session?
  17. How to pass an additional parameter with spring security login page
  18. Spring @Transactional not working
  19. Spring Security redirect to previous page after successful login
  20. How can I have list of all users logged in (via spring security) my web application
  21. JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
  22. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  23. How do I remove the ROLE_ prefix from Spring Security with JavaConfig?
  24. How to get custom user info from OAuth2 authorization server /user endpoint
  25. @Autowired in static classes
  26. How to validate Spring MVC @PathVariable values?
  27. Spring security added prefix “ROLE_” to all roles name?
  28. Why this Spring application with java-based configuration don’t work properly
  29. How to use Spring AbstractRoutingDataSource with dynamic datasources?
  30. Spring MultipartFile validation and conversion

Leave a Comment