Spring security 3.2.0 RC1 csrf with multipart/form-data

Question

I've been playing with the new csrf functionality in Spring Security 3.2.0.RC1, and noticed that it doesn't seem to work with enctype="multipart/form-data" forms.

I have a simple Spring form:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
...
<form:form action="${pageContext.request.contextPath}/model/create" modelAttribute="myForm" enctype="multipart/form-data">

and the hidden csrf input is being rendered as expected:

<input type="hidden" value="..." name="_csrf">

but the request fails the csrf check (it works fine if I remove enctype="multipart/form-data"). The only way i've found around this is to append "?_csrf=..." to my action url, which is ugly as the token then appears in the address bar on redirect. Has anyone experienced the same/found a nice solution?

Answer 1

Currently the CSFR protection requires/reads a request parameter, however due to your different type of form the form content isn't available as request parameters. If you add it to the URL it will be available as request parameter.

Inside the DispatcherServlet there is multipart detection and such a request is wrapped in an implementation of a MultipartHttpServletRequest , which decodes the multipart request and makes the content available as request parameters.

However the Spring Security filters execute before that. Until there is a final solution you can configure the MultipartFilter and execute it before the Spring Security filter chain. That basically pulls the wrapping en decoding in front of the DispatcherServlet . One thing to remind here is that you need to also put it before the Spring Security filter.

Example configuration and additional solutions can be found in the Spring Security reference guide .