It would have been very hard to find without the gist but I finally got it !
In fact it has nothing to do with Spring security. The real problem was only in SpringFramework multipart configuration. But because of it, the request appeared to have no parameter at all (neither _csrf
, nor file
) and the first to detect it was CsrfFilter
. I removed everything about security, and the error was Requested parameter file absent
(or something like it ...)
As detailed in Spring Framework manual, multipart can be handled in 2 ways:
- using Apache commons fileupload
using servlet 3.0 configuration
- You followed first solution of the related post and configured a
CommonsMultipartResolver
in mvc-dispatcher-servlet.xml
. The first problem is that the MultipartFilter
is related to the global ServletContext and looks for its MultipartResolver
in root application context not in servlet specific context.
The second problem it that you forgot to add a dependancy on Apache commons fileupload in your pom.xml
.
So you must first add this dependancy in your pom.xml
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
Next you must remove the filterMultipartResolver
bean from mvc-dispatcher-servlet.xml
and declare it in root application context. As a quick and dirty fix, you can add it into spring-security.xml
:
<beans:bean id="filterMultipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<beans:property name="maxUploadSize" value="100000000" />
</beans:bean>
- An alternative configuration would have been to use the multipart handling of servlet 3.0.
No need to depend on apache commons fileupload, nor to add any bean to the configuration, because
MultipartFilter
uses a StandardServletMultipartResolver
as a default.
You simply need to add a <multipart-config>
element in the declaration of the DispatcherServlet
in web.xml
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<multipart-config>
<!--location>/tmp</location-->
<max-file-size>1000000</max-file-size>
</multipart-config>
</servlet>
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…