Spring CSRF token does not work, when the request to be sent is a multipart request

Question

I use,

• Spring Framework 4.0.0 RELEASE (GA)
• Spring Security 3.2.0 RELEASE (GA)
• Struts 2.3.16

In which, I use an in-built securi

Answer 1

If you are using @annotations, and the jsp view like this:

    
             ...
            
             ...
            
    

this may help:

AppConfig.java :

@EnableWebMvc
@Configuration
@Import({ SecurityConfig.class })
public class AppConfig {

   @Bean(name = "filterMultipartResolver")
   public CommonsMultipartResolver filterMultipartResolver() {
      CommonsMultipartResolver filterMultipartResolver = new CommonsMultipartResolver();
      filterMultipartResolver.setDefaultEncoding("utf-8");
      // resolver.setMaxUploadSize(512000);
      return filterMultipartResolver;
}
...

The SecurityConfig.java extends WebSecurityConfigurerAdapter and is the configuration for SpringSecurity

The multipart/form-data filter (MultipartFilter) needs to be registered before the SecurityConfig that enables the CSRF. You can do it with this:

SecurityInitializer.java:

public class SecurityInitializer extends
AbstractSecurityWebApplicationInitializer {

@Override
protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
   super.beforeSpringSecurityFilterChain(servletContext);

   // CSRF for multipart form data filter:
   FilterRegistration.Dynamic springMultipartFilter;
   springMultipartFilter = servletContext.addFilter(
    "springMultipartFilter", new MultipartFilter());
   springMultipartFilter.addMappingForUrlPatterns(null, false, "/*");

}
}