Spring CSRF token does not work, when the request to be sent is a multipart request
If you are using @annotations, and the jsp view like this:
<form:form id="profileForm" action="profile?id=${param.id}" method="POST" modelAttribute="appUser" enctype="multipart/form-data" > ... <input type="file" name="file"> ... <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> </form:form>this may help:
AppConfig.java :
@EnableWebMvc@Configuration@Import({ SecurityConfig.class })public class AppConfig { @Bean(name = "filterMultipartResolver") public CommonsMultipartResolver filterMultipartResolver() { CommonsMultipartResolver filterMultipartResolver = new CommonsMultipartResolver(); filterMultipartResolver.setDefaultEncoding("utf-8"); // resolver.setMaxUploadSize(512000); return filterMultipartResolver;}...The SecurityConfig.java extends WebSecurityConfigurerAdapter and is the configuration for SpringSecurity
The multipart/form-data filter (MultipartFilter) needs to be registered before the SecurityConfig that enables the CSRF. You can do it with this:
SecurityInitializer.java:
public class SecurityInitializer extendsAbstractSecurityWebApplicationInitializer {@Overrideprotected void beforeSpringSecurityFilterChain(ServletContext servletContext) { super.beforeSpringSecurityFilterChain(servletContext); // CSRF for multipart form data filter: FilterRegistration.Dynamic springMultipartFilter; springMultipartFilter = servletContext.addFilter( "springMultipartFilter", new MultipartFilter()); springMultipartFilter.addMappingForUrlPatterns(null, false, "/*");}}
In this case, since it is a multipart request in which the CSRF token is unavailable to Spring security unless MultipartFilter along with MultipartResolver is properly configured so that the multipart request can be processed by Spring.
MulipartResolver in the applicationContext.xml file has to be registered as follows
<bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> <property name="maxUploadSize" value="-1" /></bean> The attribute value -1 of maxUploadSize puts no limit on the uploaded file size. This value may vary depending upon the requirements. In case of multiple files, the file size is the size of all uploaded files.
Also,
<servlet-name>/*</servlet-name> of <filter-mapping> of MultipartFilter needs to be changed to
<url-pattern>/*</url-pattern>This is a bug in the documentation.
This will work just fine, in case, it is Spring MVC alone.
but if it is an integration of Spring and Struts(2), it incurs another problem in the associated Struts action class. The information of the uploaded file will be null in the associated Struts action class(es).
To solve this particular issue, see this answer to customize a multipart request.
I solved this problem by:
- sending the multi-part file using vanilla javascript, like in Mozilla's guide
- adding the _csrf token in the HTML header, in meta tags, like in the Spring guideline for sending the CSRF token with Ajax
instead of using jquery, adding it directly to the XHR object
var csrfToken = $("meta[name='_csrf']").attr("content");var csrfHeader = $("meta[name='_csrf_header']").attr("content");XHR.setRequestHeader(csrfHeader, csrfToken);XHR.setRequestHeader('Content-Type','multipart/form-data; boundary=' + boundary);XHR.send(data);