CSRF entity body validation is not possible for multipart/form-data requests

[pdudits]

When CSRF protection engaged on a method annotated

    @POST
    @Produces(MediaType.TEXT_HTML)
    @Controller
    @Consumes(MediaType.MULTIPART_FORM_DATA)

Can only be validated via HTTP header match. I understand that support for this feature is optional per MVC spec, but currently it is impossible to implement it in Krazo via configuration or SPI.

Even though Application or SPI could provide custom handling via FormEntityProvider, the check is done sooner than FormEntityProvider is queried.

I could contribute a solution myself, but I'd need advice on most fitting solution. I currently see these two options:

1. Let FormEntityProvider decide if it can handle the entity. Application or SPI package can provide handling for multipart requests.
2. Add configuration property that will skip Csrf validation in this case (so that application can handle it itself in case of implicit protection)

[chkal]

Thanks a lot for reporting this. Maybe a first step would be to get a failing testcase that reproduces this issue? Not sure if you saw the testsuite directory which contains Arquillian based tests which we can run against different containers.

@gtudan IIRC you built the FormEntityProvider SPI back then. Any thoughts?