Spring Security | CSRF metatags not working for internet explorer

Question

I am using spring security 3.2.2 version in my application. To protect csrf attack in my application I have used spring security csrf meta tags.

Here below is my code:

Security.xml

In security xml I have added below tag.

<csrf/>

There are two jsps. container.jsp and changepassword.jsp

In container.jsp I added CSRF tags as below:

     <head>
    <sec:csrfMetaTags />
    </head>

Also I added changepassword.jsp in container.jsp.

<jsp:include
                                                page="/path/changepassword.jsp"
                                                flush="true" />

So I am hoping csrf metatags added in container.jsp should also applied to changepassword.jsp as container.jsp is parent page.

And changepassword.jsp is created to include in other page only so it does not contain any head tag.

Above code is working file with Chrome and mozilla, But for internet explorer (version 11) it is not working and throwing below error,

exception 
java.lang.IllegalStateException: Parameters processing failed.
    org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407)
    org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:229)
    org.apache.catalina.connector.Request.parseParameters(Request.java:2874)
    org.apache.catalina.connector.Request.getParameter(Request.java:1291)
    org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:363)
    javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:180)
    javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:180)
    org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:91)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:

I am not getting whether it is a known issue from internet explorer side or should I need to some different configuration for internet explorer? Please assist. Thanks in advance

Answer 1

Google seems to indicate this is an error in Wildfly / JBoss . It may be triggered by the fact that one of your HTTP parameters is included twice in the request or has an empty string value.

The exact error is unlikely to be caused by Spring Security since it is simply trying to access the HTTP parameters. However, it is possible that improper setup of Spring Security is causing the Wildfly / JBoss error to occur. If this doesn't help, you might post the HTTP request (including all the parameters) that is submitted to your application server and the application server name and version you are using.