Spring Security 3.1 and Multipart File Uploads

[inktomi]

I'm having a heck of a time getting Spring 3.1 / Spring Security 3.1 to allow file uploads.

I have the following controller..

Code:

@PreAuthorize("hasAuthority('ROLE_USER')")
    @RequestMapping(value = "/upload", method = RequestMethod.PUT)
    public @ResponseBody Account putImage(@RequestParam("title") String title, MultipartHttpServletRequest request, Principal principal)

And when I try to access it using a REST client, with Content-Type multipart/form-data set, I get the following exception:

Code:

java.lang.IllegalStateException: Current request is not of type [org.springframework.web.multipart.MultipartHttpServletRequest]: SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade@1aee75b7]]

It seems like this has to do with the Spring Security filter chain, but I'm really not sure what to do about this. Any help or pointers would be very much appreciated - I've spent a lot of my weekend on this seemingly simple problem!

I've also tried using a @RequestParam MutipartFile in the arguments, but that leads to a different error where it claims that my multipartResolver is not set up (it is).

[Marten Deinum]

If your setup would be correct the request would be of the type MultipartHttpServletRequest. Both errors lead me to believe your setup is wrong. Please post your configuration ...

Edit: A little code inspection shows that the CommonsMultipartResolver only accepts multipart form-data when the request is post, all other requests aren't allowed and as such the method isMultipart returns false.

I suggest submitting a JIRA to improve this.

[inktomi]

That's what I thought too. Here are the relevant parts of my config:

Annotations are set up:

Code:

<mvc:annotation-driven />
<mvc:default-servlet-handler />

This request's full url would be /api/image/upload:

Code:

<http pattern="/api/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
          use-expressions="true" xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <intercept-url pattern="/api/**" />
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <expression-handler ref="oauthWebExpressionHandler" />
</http>

The expression handler is the one from the spring-security-oauth2 project:

Code:

<oauth:web-expression-handler id="oauthWebExpressionHandler" />

[Marten Deinum]

I edited my previous reply but here it is again...

Edit: A little code inspection shows that the CommonsMultipartResolver only accepts multipart form-data when the request is post, all other requests aren't allowed and as such the method isMultipart returns false.

I suggest submitting a JIRA to improve this.

For now you could extend the MultipartResolver you use and override the isMultipart method.

[inktomi]

Ah, nice catch. Interesting!

In looking at the 3.1 source for CommonsMultipartResolver (https://fisheye.springsource.org/bro...r.java?hb=true) I don't see where it's limited to only POST methods. I'm happy to submit a jira, even with patch code, but I'm not sure I see where that limit happens.

[Marten Deinum]

Well actually it is in the commons-fileupload class not in the Spring one (sorry for the confusion). The file ServletFileUpload contains that code in the method isMultipartContent.

[inktomi]

Oh, I see. Thank you very much, sorry for the confusion. I'll try this out shortly and let you know how it goes.

[inktomi]

Problem solved. Thanks again!

[Marten Deinum]

Great to hear. Could you still register a JIRA to enhance the file upload support to support other requests next to POST.

[inktomi]

I opened FILEUPLOAD-214 for this issue.