How to enable Spring Security POST redirect after log in with CSRF?

Question

I\'m using Spring Security 3.2 with CSRF. My configuration includes this:

  
  
<         


        

Answer 1

It is quite simple.Don't pass CSRF token in the form of hidden it wont work pass the CSRF token directly as query params to the URL like below

<c:url value="/jobseeker/resume/uploadJobSeekerResume1?${_csrf.parameterName}=${_csrf.token}" var="uploadResumeURL"/>
 <form:form action="${uploadResumeURL}" method="post" enctype="multipart/form-data">
                            <input id="file" name="file" type="file" />
                            <div class="modal-footer">
                            <button type="submit"  class="btn btn-success" >
                                <span class="glyphicon glyphicon-ok-sign"></span>&nbsp;Save
                            </button>

                        </div>
                        </form:form>

Answer 2

I may not understand something... but cant you just remove default-target-url from your configuration?

Answer 3

It seems that when CSRF protection is enabled, Spring Security only puts your original request in the requestCache if the request used the GET method. In order to have it cache POST requests as well, I created a custom requestCache.

I'm not 100% convinced that doing so doesn't weaken the CSRF protection somehow, but it seems safe in my mind.

Add request cache bean to the XML configuration:

<bean id="requestCache" class="a.b.c.AlwaysSaveRequestCache" />

<http>
   <csrf />
   <request-cache ref="requestCache" />
</http>

Implement the custom request cache, by extending and borrowing code from HttpSessionRequestCache:

public class AlwaysSaveRequestCache extends HttpSessionRequestCache
{
   @Override
   public void saveRequest(HttpServletRequest request, HttpServletResponse response)
   {
      final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";
      DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new PortResolverImpl());
      request.getSession().setAttribute(SAVED_REQUEST, savedRequest);
      logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
   }
}

Your POST requests should now be cached and re-sent after being interrupted by the login form.

Answer 4

It's because HttpSessionRequestCache and DefaultSavedRequest are not designed to work with "multipart/form-data". Multipart request is treated as regular request and all form data is lost. The request restored from SavedRequest will contain only the URL and method.