spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

regression: Spring Security 7 Filters interfere with Spring Web StandardMultipartHttpServletRequest

Open filiphr opened this issue 1 month ago • 2 comments

Describe the bug When an authenticated user uploads a file larger than the configured spring.servlet.multipart.max-file-size then Spring Security returns 401.

To Reproduce

Clone the repo at https://github.com/filiphr/spring-security-boot-4-max-upload-size. It has 2 folders:

  • boot-3 - Displaying the behavior with Spring Boot 3.5 and Spring Security 6.5
  • boot-4 - Displaying the same behavior with Spring Boot 4.0.0-RC2 and Spring Security 7.0.0-RC3

Expected behavior The expected behavior is that an authenticated user uploading a file larger than the configured size returns 413.

filiphr avatar Nov 10 '25 21:11 filiphr

Have you managed to have a look at this one? Am I doing something wrong or is this behavior expected?

filiphr avatar Nov 18 '25 08:11 filiphr

I did some more analysis on this and I could track the problem to the ServletRequest#getParameter(String) in the `AbstractRememberMeRequested#getParameter(String).

It seems like something was added in Servlet 6.1 and now ServletRequest#getParameter can throw an IllegalStateException and it now also throws that exception when the file size limit has been reached for Tomcat. In Tomcat 10 the exception parsing error was being thrown only when getParts was being used. However, this is no longer the case in Tomcat 11.

Is there something that could be done in Spring Security to avoid this? What I did now is:

@Override
protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {
    try {
        // When using Tomcat it can happen that there is an illegal state exception thrown.
        // e.g. if there is a file size limit for the multi part form data.
        // In Tomcat 11, with Servlet 6.1 the call to ServletRequest#getParameter(String)
        // will throw an IllegalStateException instead of returning null.
        // This then leads to an error in the Spring Security Filter chain, and instead of handling the exception by
        // the DispatcherServlet it will lead to an HTTP 401 with an error in the security layer.
        // Even though the user is already authenticated.
        // See https://github.com/spring-projects/spring-security/issues/18156.
        return super.rememberMeRequested(request, parameter);
    } catch (IllegalStateException ignored) {
        return false;
    }
}

Would it be an option for something like this to be added to the AbstractRememberMeServices?

filiphr avatar Nov 25 '25 21:11 filiphr