close

Filter

loading table of contents...

Content Application Developer Manual / Version 2406.0

Table Of Contents
CSRF Tokens in Multipart Forms

Spring Security cannot check the CSRF token, when it is provided as (hidden) parameter in multipart forms. See Spring Security documentation on considerations for CSRF protection for multipart forms. To solve this for the registration form, the Elastic Social extension for the CAE registers the MultipartFilter to run before the Spring Security filter chain to enable CSRF for multipart/form-data POST requests. Projects that don't use the Elastic Social extension can also register the filter:

package com.coremedia.blueprint.component.cae.csrf;

import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.web.multipart.support.MultipartFilter;

@Configuration(proxyBeanMethods = false)
public class CaeCsrfMultipartConfiguration {

  private static final int ORDER_MULTIPART_FILTER =
          Ordered.HIGHEST_PRECEDENCE + 247_483_648; // == -1_900_000_000

  @Bean
  public FilterRegistrationBean<MultipartFilter> multipartFilterRegistrationBean() {
    var registrationBean = new FilterRegistrationBean<>(new MultipartFilter());
    registrationBean.setOrder(ORDER_MULTIPART_FILTER);
    return registrationBean;
  }
}

Example 4.14. Configuring support for CSRF tokens in multipart forms


Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.