Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 3.1 and Multipart File Uploads Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 3.1 and Multipart File Uploads

    I'm having a heck of a time getting Spring 3.1 / Spring Security 3.1 to allow file uploads.

    I have the following controller..

    Code:
    @PreAuthorize("hasAuthority('ROLE_USER')")
        @RequestMapping(value = "/upload", method = RequestMethod.PUT)
        public @ResponseBody Account putImage(@RequestParam("title") String title, MultipartHttpServletRequest request, Principal principal)
    And when I try to access it using a REST client, with Content-Type multipart/form-data set, I get the following exception:

    Code:
    java.lang.IllegalStateException: Current request is not of type [org.springframework.web.multipart.MultipartHttpServletRequest]: SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade@1aee75b7]]
    It seems like this has to do with the Spring Security filter chain, but I'm really not sure what to do about this. Any help or pointers would be very much appreciated - I've spent a lot of my weekend on this seemingly simple problem!

    I've also tried using a @RequestParam MutipartFile in the arguments, but that leads to a different error where it claims that my multipartResolver is not set up (it is).

  • #2
    If your setup would be correct the request would be of the type MultipartHttpServletRequest. Both errors lead me to believe your setup is wrong. Please post your configuration ...

    Edit: A little code inspection shows that the CommonsMultipartResolver only accepts multipart form-data when the request is post, all other requests aren't allowed and as such the method isMultipart returns false.

    I suggest submitting a JIRA to improve this.
    Last edited by Marten Deinum; Feb 25th, 2013, 01:46 PM.

    Comment


    • #3
      That's what I thought too. Here are the relevant parts of my config:

      Annotations are set up:
      Code:
      <mvc:annotation-driven />
      <mvc:default-servlet-handler />
      This request's full url would be /api/image/upload:
      Code:
      <http pattern="/api/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
                use-expressions="true" xmlns="http://www.springframework.org/schema/security">
              <anonymous enabled="false" />
              <intercept-url pattern="/api/**" />
              <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
              <access-denied-handler ref="oauthAccessDeniedHandler" />
              <expression-handler ref="oauthWebExpressionHandler" />
      </http>
      The expression handler is the one from the spring-security-oauth2 project:
      Code:
      <oauth:web-expression-handler id="oauthWebExpressionHandler" />

      Comment


      • #4
        I edited my previous reply but here it is again...

        Originally posted by Marten Deinum
        Edit: A little code inspection shows that the CommonsMultipartResolver only accepts multipart form-data when the request is post, all other requests aren't allowed and as such the method isMultipart returns false.

        I suggest submitting a JIRA to improve this.

        For now you could extend the MultipartResolver you use and override the isMultipart method.

        Comment


        • #5
          Ah, nice catch. Interesting!

          In looking at the 3.1 source for CommonsMultipartResolver (https://fisheye.springsource.org/bro...r.java?hb=true) I don't see where it's limited to only POST methods. I'm happy to submit a jira, even with patch code, but I'm not sure I see where that limit happens.

          Comment


          • #6
            Well actually it is in the commons-fileupload class not in the Spring one (sorry for the confusion). The file ServletFileUpload contains that code in the method isMultipartContent.

            Comment


            • #7
              Oh, I see. Thank you very much, sorry for the confusion. I'll try this out shortly and let you know how it goes.

              Comment


              • #8
                Problem solved. Thanks again!

                Comment


                • #9
                  Great to hear. Could you still register a JIRA to enhance the file upload support to support other requests next to POST.

                  Comment


                  • #10
                    I opened FILEUPLOAD-214 for this issue.

                    Comment


                    • #11
                      You also might want to open a JIRA request on the Spring Framework instance, that way a workaround/fix might come quicker and also for the Servlet 3.0 implementation. You could link to this forum thread and registered file-upload issue.

                      Comment

                      Working...
                      X