CSRF in Multipart file upload in SpringMVC/Spring application

Question

I am only able to upload files via multipart form submission when CSRF is disabled.

I have read the Spring Security reference documentation (16.5.4 Multipart (file upload)) and I understand that:

1. springMultipartFilter must come before springSecurityFilter in web.xml.
2. CSRF token can be placed in action attribute in the multipart form.

From reading other questions and answers here, I have also decleared the filterMultipartResolver bean in the applicationContext.xml file. I have not tried implementing a custom filter.

Can someone tell me how to achieve this using the first approach? I do not want to place the token in the action attribute value.

Form:

<form:form method="POST" modelAttribute="operatorAccountDetails"  action="operatorAccountPage"  enctype="multipart/form-data">              

<form:label path="logo">Logo:</form:label>
<form:input path="logo" type="file"></form:input>

<button type="submit">Save</button>

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 

</form:form>

WEB.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">

         <filter>
            <filter-name>MultipartFilter</filter-name>
            <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
        </filter>
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>MultipartFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

          <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                   /WEB-INF/spring/application-security-context.xml
                   /WEB-INF/spring/application-dao-context.xml    
                   /WEB-INF/spring/application-messaging-context.xml       
            </param-value>
          </context-param>

          <listener>
            <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
          </listener>
          <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
          </listener>
          <servlet>
            <servlet-name>DispatcherServlet</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/spring/application-context.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
          </servlet>

          <servlet-mapping>
            <servlet-name>DispatcherServlet</servlet-name>
            <url-pattern>/signup</url-pattern>
            <url-pattern>/operatorHome</url-pattern>
            <url-pattern>/home</url-pattern>
            <url-pattern>/login</url-pattern>
            <url-pattern>/</url-pattern>
          </servlet-mapping>
</web-app>

applicationContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

    <!-- Enables the Spring MVC @Controller programming model -->

    <annotation-driven />


    <!-- Multipart Resolver Bean -->

    <beans:bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <beans:property name="maxUploadSize" value="-1" />
    </beans:bean>


    <!--JDBC/Hibernate -->

    <beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <beans:property name="url" value="jdbc:mysql://localhost:3306/flyover" />
        <beans:property name="username" value="root" />
        <beans:property name="password" value="password" />
    </beans:bean>

    <beans:bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <beans:property name="dataSource" ref="dataSource" />
        <beans:property name="configLocation">
            <beans:value>classpath:hibernate.cfg.xml</beans:value>
        </beans:property>
        <beans:property name="annotatedClasses">
        <beans:list>
            <beans:value>com.mvc.domain.User</beans:value>
            <beans:value>com.mvc.domain.OperatorAccountDetails</beans:value>
        </beans:list>
    </beans:property>
    </beans:bean>

    <beans:bean id="txManager"  
          class="org.springframework.orm.hibernate4.HibernateTransactionManager">  
          <beans:property name="sessionFactory" ref="sessionFactory" />  
    </beans:bean>  


    <!-- DAO and Service Beans -->
     <beans:bean id="userDAOImpl" class="com.mvc.dao.UserDAOImpl" />  
     <beans:bean id="userServiceImpl" class="com.mvc.service.UserServiceImpl" />  
     <beans:bean id="operatorAccountDetailsDAOImpl" class="com.mvc.dao.OperatorAccountDetailsDAOImpl" />  
     <beans:bean id="operatorAccountDetailsServiceImpl" class="com.mvc.service.OperatorAccountDetailsServiceImpl"></beans:bean>



    <!-- Java Mail Bean -->
    <beans:bean id="messageSource"
        class="org.springframework.context.support.ResourceBundleMessageSource">
            <beans:property name="basename" value="validation" />
    </beans:bean>


    <beans:bean id="mailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl">
        <!-- SMTP settings -->
        <beans:property name="host" value="smtp.gmail.com" />
        <beans:property name="port" value="587" />
        <beans:property name="username" value="anything@gmail.com" />
        <beans:property name="password" value="password" />
         <beans:property name="javaMailProperties">
         <!-- additional properties specific to JavaMail -->
            <beans:props>
            <beans:prop key="mail.smtp.auth">true</beans:prop>
                <beans:prop key="mail.smtp.starttls.enable">true</beans:prop>
            </beans:props>
        </beans:property>
    </beans:bean>


   <!-- Sign Up Validator Bean -->

    <beans:bean id="signUpValidator" class="com.mvc.domain.SignUpValidator" />

    <!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
    <resources mapping="/resources/**" location="/resources/" />

    <!-- Velocity Engine Bean -->

        <beans:bean id="velocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean">
            <beans:property name="velocityProperties">
                <beans:value>
                    resource.loader=class
                    class.resource.loader.class=org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
                </beans:value>
            </beans:property>
        </beans:bean>


    <!-- interceptor -->

    <interceptors>
        <beans:bean class="org.springframework.orm.hibernate4.support.OpenSessionInViewInterceptor">
            <beans:property name="sessionFactory" ref="sessionFactory"></beans:property>
        </beans:bean>
    </interceptors>

    <!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
    <beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">

        <beans:property name="prefix" value="/WEB-INF/views/" />
        <beans:property name="suffix" value=".jsp" />

      </beans:bean>

      <context:component-scan base-package="com.mvc" />
    </beans:beans>

applicationContext-secirity.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd     
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">

 <debug />

<global-method-security pre-post-annotations="enabled" />



<http  use-expressions="true" >


    <form-login login-page="/login.jsp" login-processing-url="/j_spring_security_check" authentication-success-handler-ref="authSuccessHandler"  authentication-failure-url="/login.jsp" username-parameter="j_username" password-parameter="j_password"/>
    <intercept-url  pattern="/login*" access="permitAll()" />
    <intercept-url pattern="/signup*" access="permitAll()"/>      
    <intercept-url pattern="/resources/home.css*" access="permitAll()"/>
    <intercept-url pattern="/resources/videoplayback*" access="permitAll()"/>
    <intercept-url pattern="/resources/favicon.png*" access="permitAll()"/>
    <intercept-url pattern="/resources/favicon.ico*" access="permitAll()"/>
    <intercept-url pattern="/resources/location.js*" access="permitAll()"/>     
    <intercept-url pattern="/https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css*" access="permitAll()"/>
    <intercept-url pattern="/https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css*" access="permitAll()"/>
    <intercept-url pattern="/https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js*" access="permitAll()"/>
    <intercept-url pattern="/https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js*" access="permitAll()"/>             
    <intercept-url pattern="https://maps.googleapis.com/maps/api/js?key=AIzaSyACY5fyNmueCqOtNWF1NwaLD9NdY7ZGohM" access="permitAll()"/>   
    <intercept-url  pattern="/**" access="isAuthenticated()" />   
    <logout logout-url="/j_spring_security_logout"  delete-cookies="JSESSIONID" invalidate-session="true" />    


</http>


    <beans:bean id="authSuccessHandler" class="com.mvc.controllers.AuthSuccessHandler"></beans:bean>

    <beans:bean id="securityDataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <beans:property name="url" value="jdbc:mysql://localhost:3306/flyover" />
        <beans:property name="username" value="root" />
        <beans:property name="password" value="password" />
    </beans:bean>

    <beans:bean id="myJdbcDaoImplUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
        <beans:property name="dataSource" ref="securityDataSource" />
    </beans:bean>

    <authentication-manager>

        <authentication-provider user-service-ref="myJdbcDaoImplUserDetailsService" />
        <authentication-provider>
            <jdbc-user-service data-source-ref="securityDataSource" />
        </authentication-provider>

    </authentication-manager>


</beans:beans>

Can someone tell me what is missing? All other forms that are non-multipart forms work with CSRF. The multipart form itself works when I disable CSRF.

Thanks.