1

Spring CSRF is not working for me for multipart forms with file upload. It works fine for other requests. My web.xml looks like this -

<filter>
        <filter-name>MultipartFilter</filter-name>
        <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>MultipartFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
...
some more filters
...
<filter>
        <filter-name>csrfFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>csrfFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

I have defined this bean in my appcontext-servlet.xml -

<bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <property name="maxUploadSize" value="100000000" />
    </bean>

I also have csrfFilter defined. With the filterMultipartResolver bean defined, I get redirected to our default 404 page. Without the bean, I get an error page saying I sent a null token. When I see the request in chrome developer tools, it contains the following parts along with the rest of the form (the token has got attached twice because I am using javascript to do so once on page load and probably once while sending. What am I missing?

------WebKitFormBoundaryHMYSQ8eg6FXpxqDA Content-Disposition: form-data; name="_csrf"

16a983e0-a115-43d9-aa72-09c9576d53df ------WebKitFormBoundaryHMYSQ8eg6FXpxqDA Content-Disposition: form-data; name="_csrf"

16a983e0-a115-43d9-aa72-09c9576d53df

user8055937
  • 21
  • 3

1 Answers1

0

I dont know if you have already solved this, but even I had the same problem as you are facing including similar code. The only difference that I had in mine is:

<filter>
    <display-name>springMultipartFilter</display-name>
    <filter-name>springMultipartFilter</filter-name>
    <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>springMultipartFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>csrfFilter</filter-name>
    <servlet-name>customApplication</servlet-name>
</filter-mapping>
<servlet>
    <servlet-name>customApplication</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>customApplication</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

Additionally, the post described here will also help those who are stuck with the same problem: Spring Security 3.2 CSRF support for multipart requests

raVan
  • 296
  • 2
  • 15