春季安全CSRF与ENCTYPE = “多部分/格式数据”
问题描述:
我有这样的形式在JSP文件:春季安全CSRF与ENCTYPE = “多部分/格式数据”
<form:form method="POST" commandName="advertForm" onsubmit="return checkAddress();" enctype="multipart/form-data">
<form:errors path="*" cssClass="errorblock" element="div"/>
<table>
<tr>
<td>Text:</td>
<td><form:input path="advert.text"/></td>
<td><form:errors path="advert.text" cssClass="error"/></td>
</tr>
<table id="fileTable">
<tr>
<td><input name="images[0]" type="file" /></td>
</tr>
<tr>
<td><input name="images[1]" type="file" /></td>
</tr>
</table>
<tr>
<td colspan="1"><a style="text-decoration: none" href="/"><input type="button" value="Cancel"/></a></td>
<td colspan="2"><input type="submit" value="Save"/></td>
</tr>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}" />
</table>
</form:form>
这AdvertForm类:使用
public class AdvertForm {
private Advert advert;
private List<MultipartFile> images;
public Advert getAdvert() {
return advert;
}
public void setAdvert(Advert advert) {
this.advert = advert;
}
public List<MultipartFile> getImages() {
return images;
}
public void setImages(List<MultipartFile> images) {
this.images = images;
}
}
在相应的控制器我接收数据此参数:
@ModelAttribute("advertForm") AdvertForm advertForm
问题是,当CSRF在sping- security.xml文件中禁用它工作得很好 - 我可以在advertForm.getImages()查看所选的文件,但是当我使CSRF它停止与合作:
Invalid CSRF token found for http://localhost:8080
我试图用这个步骤来解决这个问题:
-
我添加多滤波器securityFilterChain之前:
<filter> <filter-name>MultipartFilter</filter-name> <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class> </filter> <filter-mapping> <filter-name>MultipartFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
我定义filterMultipartResolver:
<bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> <property name="maxUploadSize" value="100000000" /></bean>
并将其添加到web.xml中:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
......,
/WEB-INF/springWebMultipartContext.xml
</param-value>
</context-param>
-
在Tomcat的7启用CasualMultipartParsing(我使用独立的库,从IDE中运行)
ctx.setAllowCasualMultipartParsing(真)
现已形成的作品 - 我不要再解决任何csrf错误。但是当控制器收到advertForm参数时,advertForm.getImages()返回null,但是advertForm.getText()返回用户输入的文本。在原木中,我可以看到这条线:
DEBUG CommonsMultipartResolver - Found multipart file [images[0]] of size 3117 bytes with original filename [11111111.txt], stored in memory
我的错误在哪里?
答
我忘了提,我定义这个bean:
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
这是一个问题。删除这个bean后,一切正常。