1

We upgraded our spring boot application from 2.5.14 to 3.5.5, now POST requests for multipart file upload are failing with a 403 response. This is a service to service interface, no user login is involved. At this time it is not feasible to change the client service to add a csrf token. How do I work around this issue?

This is what is seen in the spring security logs.

{"@timestamp":"2025-09-04T13:56:23.406-04:00","@version":"1","message":"Invoking CsrfFilter (5/10)","logger_name":"org.springframework.security.web.FilterChainProxy","thread_name":"http-nio-8080-exec-2","level":"TRACE","level_value":5000,"service_name":"threat-assessment","log_type":"APPLICATION"}
{"@timestamp":"2025-09-04T13:56:23.407-04:00","@version":"1","message":"Wrote a CSRF token to the following request attributes: [_csrf, org.springframework.security.web.csrf.CsrfToken]","logger_name":"org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler","thread_name":"http-nio-8080-exec-2","level":"TRACE","level_value":5000,"service_name":"threat-assessment","log_type":"APPLICATION"}
{"@timestamp":"2025-09-04T13:56:23.412-04:00","@version":"1","message":"Did not find a CSRF token in the [X-CSRF-TOKEN] request header","logger_name":"org.springframework.security.web.csrf.CsrfTokenRequestHandler","thread_name":"http-nio-8080-exec-2","level":"TRACE","level_value":5000,"service_name":"threat-assessment","log_type":"APPLICATION"}
{"@timestamp":"2025-09-04T13:56:23.412-04:00","@version":"1","message":"Did not find a CSRF token in the [_csrf] request parameter","logger_name":"org.springframework.security.web.csrf.CsrfTokenRequestHandler","thread_name":"http-nio-8080-exec-2","level":"TRACE","level_value":5000,"service_name":"threat-assessment","log_type":"APPLICATION"}
{"@timestamp":"2025-09-04T13:56:23.412-04:00","@version":"1","message":"Invalid CSRF token found for http://localhost:8080/api/v1/scans?waitFor=10","logger_name":"org.springframework.security.web.csrf.CsrfFilter","thread_name":"http-nio-8080-exec-2","level":"DEBUG","level_value":10000,"service_name":"threat-assessment","log_type":"APPLICATION"}
{"@timestamp":"2025-09-04T13:56:23.412-04:00","@version":"1","message":"Responding with 403 status code","logger_name":"org.springframework.security.web.access.AccessDeniedHandlerImpl","thread_name":"http-nio-8080-exec-2","level":"DEBUG","level_value":10000,"service_name":"threat-assessment","log_type":"APPLICATION"}

This is the code for the securityFilter:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http ) throws Exception {
        if(!iamProperties.isSecured()) {
            http
                    .cors(Customizer.withDefaults())
                    .csrf(AbstractHttpConfigurer::disable)
                    .authorizeHttpRequests(authorize -> authorize
                            .requestMatchers("/actuator/**", "/system/v1/resources").permitAll()
                            .anyRequest().access(hasScope(SCAN_SCOPE))
                    )
                    .oauth2ResourceServer(oauth -> oauth.jwt(Customizer.withDefaults()));
        }
        return http.build();
    }
Improve this question
3
  • If you change it to http.csrf((csrf) -> csrf.disable()), does it make any difference? Commented Sep 4 at 19:34
  • No, it does not make any difference. Commented Sep 4 at 20:02
  • I tried the following which did not work as well: http.csrf(csrf -> csrf.ignoringRequestMatchers(req -> "POST".equals(req.getMethod()) && "/api/v1/scans".equals(req.getRequestURI()))) Commented Sep 4 at 21:27
Related questions
0
CSRF issue on PUT with Spring Boot 3.0.0 and Angular 15.2.4
9
Spring Boot OAuth2 - Could not obtain user details from token
222
Django CSRF check failing with an Ajax POST request
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.