Spring Security 3.2 CSRF support for multipart requests

Question

We have been using Spring Security with our application for a few years now. Last week we upgraded Spring Security from version 3.1.4 to 3.2.0. The upgrade went fine and w

Answer 1

Find most answer is answered server years ago.

If you need

Passing CSRF tokens with RestTemplate

This blog is quite enlightening https://cloudnative.tips/passing-csrf-tokens-with-resttemplate-736b336a6cf6

In Spring Security 5.0.7.RELEASE

https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-multipart

There are two options to using CSRF protection with multipart/form-data. Each option has its tradeoffs.

-Placing MultipartFilter before Spring Security
-Include CSRF token in action

For short, the first option is safer, the latter is easier.

Specifying the MultipartFilter before the Spring Security filter means that there is no authorization for invoking the MultipartFilter which means anyone can place temporary files on your server. However, only authorized users will be able to submit a File that is processed by your application. In general, this is the recommended approach because the temporary file upload should have a negligible impact on most servers.

To ensure MultipartFilter is specified before the Spring Security filter with java configuration, users can override beforeSpringSecurityFilterChain as shown below:

public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

  @Override
  protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
      insertFilters(servletContext, new MultipartFilter());
  }
}

To ensure MultipartFilter is specified before the Spring Security filter with XML configuration, users can ensure the element of the MultipartFilter is placed before the springSecurityFilterChain within the web.xml as shown below:

  MultipartFilter
  org.springframework.web.multipart.support.MultipartFilter


  springSecurityFilterChain
  org.springframework.web.filter.DelegatingFilterProxy


  MultipartFilter
  /*


  springSecurityFilterChain
  /*

Another option

If allowing unauthorized users to upload temporary files is not acceptable, an alternative is to place the MultipartFilter after the Spring Security filter and include the CSRF as a query parameter in the action attribute of the form. An example with a jsp is shown below

The disadvantage to this approach is that query parameters can be leaked. More genearlly, it is considered best practice to place sensitive data within the body or headers to ensure it is not leaked.