java - CSRF protection prevents me from uploading a file -


i created simple app spring boot , spring security contains :

  • a login form
  • an "upload" form (with associated controller on backend's side)

problem : spring security has built-in default csrf protection. works common rest calls prevents me uploading file : error message :

invalid csrf token 'null' found on request parameter '_csrf' or header 'x-xsrf-token'.

if deactivate csrf protection, can upload file.

i created sscce illustrate problem. steps reproduce :

  1. launch application (main class com.denodev.application)
  2. connect localhost:8080
  3. authenticate credentials :
    • login : user
    • password : password
  4. when redirected "upload" form, try upload file.
  5. in class application, feel free activate/deactivate csrf protection, restart app , retry.

the relevant part of code : 

@restcontroller @springbootapplication public class application {    public static void main(string[] args) {     springapplication.run(application.class);   }    @requestmapping(value = "/upload-file", method = requestmethod.post)   @responsebody   public string uploadfile(@requestparam("file") multipartfile file) {     return "successfully received file "+file.getoriginalfilename();   }    @configuration   @order(securityproperties.access_override_order)   protected static class securityconfiguration extends websecurityconfigureradapter {      @override     public void configure(httpsecurity http) throws exception {       http           .authorizerequests()           .antmatchers("/", "/**/*.html", "login").permitall()           .anyrequest().authenticated()           .and()             .formlogin()             .successhandler(successhandler())             .failurehandler(failurehandler())           .and()             .exceptionhandling()             .accessdeniedhandler(accessdeniedhandler())             .authenticationentrypoint(authenticationentrypoint())           .and()            //1 : uncomment activate csrf protection           .csrf()           .csrftokenrepository(csrftokenrepository())           .and()           .addfilterafter(csrfheaderfilter(), csrffilter.class)            //2 : uncomment disable csrf protection           //.csrf().disable()       ;     }      /**      * return http 200 on authentication success instead of redirecting page.      */     private authenticationsuccesshandler successhandler() {       return new authenticationsuccesshandler() {         @override         public void onauthenticationsuccess(httpservletrequest httpservletrequest, httpservletresponse httpservletresponse, authentication authentication) throws ioexception, servletexception {           httpservletresponse.setstatus(httpservletresponse.sc_ok);         }       };     }      /**      * return http 401 on authentication failure instead of redirecting page.      */     private authenticationfailurehandler failurehandler() {       return new authenticationfailurehandler() {         @override         public void onauthenticationfailure(httpservletrequest httpservletrequest, httpservletresponse httpservletresponse, authenticationexception e) throws ioexception, servletexception {           httpservletresponse.setstatus(httpservletresponse.sc_unauthorized);           httpservletresponse.getwriter().write(e.getmessage());         }       };     }      /**      * return http 403 on "access denied" instead of redirecting page.      */     private accessdeniedhandler accessdeniedhandler() {       return new accessdeniedhandler() {         @override         public void handle(httpservletrequest httpservletrequest, httpservletresponse httpservletresponse, accessdeniedexception e) throws ioexception, servletexception {           httpservletresponse.setstatus(httpservletresponse.sc_forbidden);           httpservletresponse.getwriter().write(e.getmessage());         }       };     }      private authenticationentrypoint authenticationentrypoint() {       return new authenticationentrypoint() {         @override         public void commence(httpservletrequest httpservletrequest, httpservletresponse httpservletresponse, authenticationexception e) throws ioexception, servletexception {           httpservletresponse.setstatus(httpservletresponse.sc_unauthorized);           httpservletresponse.getwriter().write(e.getmessage());         }       };     }

what tried :

the spring security's documentation multipart advices place multipartfilter before spring security. explains how plain old webapp editing web.xml file. not applicable spring boot , cannot figure equivalent syntax.

i tried expose multipartfilter annotations @bean , order several options still struggle it.

any ideas?

this works me :

add directive upload file in client side : 

app.directive('filemodel', function ($parse) {          return {              restrict: 'a',              link: function(scope, element, attrs) {                  var model = $parse(attrs.filemodel);                 var modelsetter = model.assign;                  element.bind('change', function(){                      scope.$apply(function(){                         modelsetter(scope, element[0].files[0]);                     });                  });              }     }; })

upload file : 

<input type="file" file-model="filetoupload"/>

this how upload file server : 

var formdata = new formdata();  formdata.append("file", filetoupload);  $http({          method: 'post',         url: 'the url',         headers: {'content-type': undefined},         data: formdata,         transformrequest: angular.identity  })  .success(function(data, status){  })

Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more