Content Application Developer Manual / Version 2107
Table Of Contents
Spring Security cannot check the CSRF token, when it is provided as (hidden) parameter in multipart forms. See
Spring Security documentation on considerations for CSRF protection for multipart forms.
To solve this for the registration form, the Elastic Social extension for the CAE registers the
MultipartFilter
to run before the Spring Security filter chain to enable CSRF for multipart/form-data
POST requests. Projects that don't use the Elastic Social extension can also register the filter:
package com.coremedia.blueprint.component.cae.csrf; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.web.multipart.support.MultipartFilter; @Configuration(proxyBeanMethods = false) public class CaeCsrfMultipartConfiguration { private static final int ORDER_MULTIPART_FILTER = Ordered.HIGHEST_PRECEDENCE + 247_483_648; // == -1_900_000_000 @Bean public FilterRegistrationBean<MultipartFilter> multipartFilterRegistrationBean() { var registrationBean = new FilterRegistrationBean<>(new MultipartFilter()); registrationBean.setOrder(ORDER_MULTIPART_FILTER); return registrationBean; } }
Example 4.17. Configuring support for CSRF tokens in multipart forms