How to enable Spring Security POST redirect after log in with CSRF?

Question

I'm using Spring Security 3.2 with CSRF. My configuration includes this:

  <csrf />
  <form-login default-target-url="/defaultPage"/>

When the user does a POST form submit (with a CSRF token) that requires authentication, he is redirected to the log in page. Afterwards, instead of submitting the request, the user is redirected to the defaultPage by Spring Security.

I suspect the issue is that the CSRF token gets reset during log in.

How can I get such a POST redirect after log in working?

Update : I tried to create a custom SavedRequestAwareAuthenticationSuccessHandler to redirect to the original POST request. However, I saw that the original request wasn't even being saved in the requestCache .

Answer 1

It seems that when CSRF protection is enabled, Spring Security only puts your original request in the requestCache if the request used the GET method. In order to have it cache POST requests as well, I created a custom requestCache .

I'm not 100% convinced that doing so doesn't weaken the CSRF protection somehow, but it seems safe in my mind.

Add request cache bean to the XML configuration:

<bean id="requestCache" class="a.b.c.AlwaysSaveRequestCache" />

<http>
   <csrf />
   <request-cache ref="requestCache" />
</http>

Implement the custom request cache, by extending and borrowing code from HttpSessionRequestCache :

public class AlwaysSaveRequestCache extends HttpSessionRequestCache
{
   @Override
   public void saveRequest(HttpServletRequest request, HttpServletResponse response)
   {
      final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";
      DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new PortResolverImpl());
      request.getSession().setAttribute(SAVED_REQUEST, savedRequest);
      logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
   }
}

Your POST requests should now be cached and re-sent after being interrupted by the login form.

Answer 2

It is quite simple.Don't pass CSRF token in the form of hidden it wont work pass the CSRF token directly as query params to the URL like below

<c:url value="/jobseeker/resume/uploadJobSeekerResume1?${_csrf.parameterName}=${_csrf.token}" var="uploadResumeURL"/>
 <form:form action="${uploadResumeURL}" method="post" enctype="multipart/form-data">
                            <input id="file" name="file" type="file" />
                            <div class="modal-footer">
                            <button type="submit"  class="btn btn-success" >
                                <span class="glyphicon glyphicon-ok-sign"></span>&nbsp;Save
                            </button>

                        </div>
                        </form:form>

Answer 3

It's because HttpSessionRequestCache and DefaultSavedRequest are not designed to work with "multipart/form-data". Multipart request is treated as regular request and all form data is lost. The request restored from SavedRequest will contain only the URL and method.

Answer 4

我可能听不懂......但你不能从你的配置中删除default-target-url吗？