Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem uploading multipart file after migrating to latest Spring Security. #13731

Closed
MladenCikara-Dextcloud opened this issue Aug 22, 2023 · 2 comments
Closed

Problem uploading multipart file after migrating to latest Spring Security. #13731

MladenCikara-Dextcloud opened this issue Aug 22, 2023 · 2 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.0.7

Comments

@MladenCikara-Dextcloud
Copy link

Describe the bug
After upgrading Spring Boot from 2.7.11 (Spring Security 5.7.8) to 3.1.2 (Spring Security 6.1.2) uploading multipart file has stopped working. We are using Apache Camel for processing uploaded file.

To Reproduce
We have created repo with example (https://github.com/McNullty/camel-upload-with-security), on branch master we have used latest versions of Spring Boot / Spring Security and Camel, on branch old-spring boot there is version with older versions of Spring and Camel.

We have also tested latest Camel without Spring Security and it is working as expected.

Expected behavior

Example can be tested by sending any file with curl, eg.:

curl --location 'http://localhost:8080/camel/upload' \
                    --header 'Authorization: Basic dXNlcjpwYXNz' \
                    --form 'file=@"/path/examples.yaml"'

Expected behavior is that In Camel exchange body there is file with size different than 0.

Sample

A link to a GitHub repository with a minimal, reproducible sample.
@MladenCikara-Dextcloud MladenCikara-Dextcloud added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Aug 22, 2023
@MladenCikara-Dextcloud
Copy link
Author

I have found workaround. If I add .requestCache(RequestCacheConfigurer::disable) to security configuration, application works as expected.
Eg.

http
    .requestCache(RequestCacheConfigurer::disable)
    .csrf(AbstractHttpConfigurer::disable)
    .authorizeHttpRequests(authorize -> authorize
        .anyRequest().authenticated()
    )
    .httpBasic(Customizer.withDefaults())

I have also found that if I put log statement that "tickles" request.getInputStream() in filter before RequestCacheAwareFilter application also works as expected.

Eg.

public class DebugFilter implements Filter {

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {

    log.info("Input Stream: {}", request.getInputStream());

    chain.doFilter(request, response);
  }
}

@marcusdacoregio marcusdacoregio self-assigned this Sep 14, 2023
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 14, 2023
@marcusdacoregio marcusdacoregio mentioned this issue Sep 14, 2023
Closed
@marcusdacoregio marcusdacoregio mentioned this issue Sep 14, 2023
Merged
@marcusdacoregio marcusdacoregio added this to the 6.0.7 milestone Sep 14, 2023
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Sep 14, 2023
@marcusdacoregio
Resolve The matchingRequestParameterName From The Query String
6cf03ef 
Prior to this commit, the ServletRequest#getParameter method was used in order to verify if the matchingRequestParameterName was present in the request. That method has some side effects like interfering in the execution of the ServletRequest#getInputStream and ServletRequest#getReader method when the request is an HTTP POST (if those methods are invoked after getParameter, or vice-versa, the content won't be available). This commit makes that we only use the query string to check for the parameter, avoiding draining the request's input stream.

Closes spring-projectsgh-13731
@marcusdacoregio marcusdacoregio mentioned this issue Sep 14, 2023
Closed
@marcusdacoregio marcusdacoregio mentioned this issue Sep 14, 2023
Closed
@NuwanSameera
Copy link

@marcusdacoregio your solution is working. Early I had .csrf(csrf -> csrf.disable()) CSRF configuration. It didn't work.

What is the difference between .csrf(csrf -> csrf.disable()) and csrf(AbstractHttpConfigurer::disable)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
Spring Security Team
Status: No status
Milestone
6.0.7
Development

No branches or pull requests
3 participants
@NuwanSameera @marcusdacoregio @MladenCikara-Dextcloud