4

This question is in relation to the question at this url Spring Security 3.2 CSRF support for multipart requests

I tried this exact same setup as well as the gist but I cannot get this to work unless I have the _csrf token in the url. I had it in the form body as a hidden field and had the filter specified before the security filter but with no joy and it failed every time with the debug log message of an invalid csrf token

Any help on this would be greatly appreciated

Cheers Damien

Community
  • 1
  • 1
Damien
  • 4,081
  • 12
  • 75
  • 126
  • It could come either from your environment or from a slight difference in config. To help narrowing the problem, can you run the project from the gist with no errors ? – Serge Ballesta Aug 10 '14 at 16:33
  • I just created a new sample project based on a sample from Mkyong.com and followed the gist. Unfortunately, it is still not functioning for me. I have created a gist of all the relevant files and that is located here https://gist.github.com/damogallagher/26935a84b607df3ec46b – Damien Aug 12 '14 at 10:39

1 Answers1

7

It would have been very hard to find without the gist but I finally got it !

In fact it has nothing to do with Spring security. The real problem was only in SpringFramework multipart configuration. But because of it, the request appeared to have no parameter at all (neither _csrf, nor file) and the first to detect it was CsrfFilter. I removed everything about security, and the error was Requested parameter file absent (or something like it ...)

As detailed in Spring Framework manual, multipart can be handled in 2 ways:

  • using Apache commons fileupload

  • using servlet 3.0 configuration

    1. You followed first solution of the related post and configured a CommonsMultipartResolver in mvc-dispatcher-servlet.xml. The first problem is that the MultipartFilter is related to the global ServletContext and looks for its MultipartResolver in root application context not in servlet specific context.

    The second problem it that you forgot to add a dependancy on Apache commons fileupload in your pom.xml.

    So you must first add this dependancy in your pom.xml

    <dependency>
    <groupId>commons-fileupload</groupId>
    <artifactId>commons-fileupload</artifactId>
    <version>1.3.1</version>
</dependency>

    Next you must remove the filterMultipartResolver bean from mvc-dispatcher-servlet.xml and declare it in root application context. As a quick and dirty fix, you can add it into spring-security.xml :

    <beans:bean id="filterMultipartResolver"
      class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
    <beans:property name="maxUploadSize" value="100000000" />
</beans:bean>
    1. An alternative configuration would have been to use the multipart handling of servlet 3.0. No need to depend on apache commons fileupload, nor to add any bean to the configuration, because MultipartFilter uses a StandardServletMultipartResolver as a default.

    You simply need to add a <multipart-config> element in the declaration of the DispatcherServlet in web.xml

    <servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <multipart-config>
        <!--location>/tmp</location-->
        <max-file-size>1000000</max-file-size>
    </multipart-config>
</servlet>
naXa stands with Ukraine
  • 35,493
  • 19
  • 190
  • 259
Serge Ballesta
  • 143,923
  • 11
  • 122
  • 252
  • 1
    Wow - such a simple solution in the end. Many thanks for your help in sorting this – Damien Aug 13 '14 at 20:53
  • How do we extract the MultipartFile [] in controller?I am using this MultipartRequest multipartRequest = (MultipartRequest) request; but getting java.lang.ClassCastException: org.springframework.security.web.servletapi.HttpServlet3RequestFactory$Servlet3SecurityContextHolderAwareRequestWrapper cannot be cast to org.springframework.web.multipart.MultipartRequest – user1241438 Feb 07 '17 at 02:38