Spring Boot how to use HiddenHttpMethodFilter

Question

As we all know, forms only support GET or POST methods, like this:

<form method="[GET|POST]" action="/user/create">

If our controller has a PUT mapping, we get a 405 error, which means we can only use GET or POST but not PUT.

public class UserController {

    @Autowired
    private UserService userService;

    @RequestMapping(value = "/create", method = RequestMethod.PUT)
    public ModelAndView createUser(@ModelAttribute("user") Users user, BindingResult bindingResult){
        ModelAndView mv = new ModelAndView("list");
        // do something...
        return mv;
    }
}

In spring MVC, we can solve this problem:

First, create a hidden field like this:

<form method="[GET|POST]" action="/user/create">
    <input type="hidden" name="_method" value="put"/>

Second, add a filter

<filter>  
    <filter-name>HiddenHttpMethodFilter</filter-name>  
    <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>  
</filter>  

<filter-mapping>  
    <filter-name>HiddenHttpMethodFilter</filter-name>  
    <servlet-name>springmvc</servlet-name>  
</filter-mapping>

In this way, we can use the PUT method.

But how can I do it in Spring Boot? I know Spring Boot have a class named WebMvcAutoConfiguration which owns a method hiddenHttpMethodFilter, but how can I use the class?

You shouldn't need to do anything as Spring Boot will automatically configure the hidden http method filter for you — Andy Wilkinson, Dec 02 '15 at 21:59
@AndyWilkinson thanks a lot man. I edit my question, But if I do not configure the hidden http method filter, how can I use a put submit in html form. — diligent, Dec 03 '15 at 00:48
Like you normally would. Just put the element in the form... — M. Deinum, Dec 03 '15 at 07:07
Since Spring Boot 2.2, the filter is no longer automatically configured. Set `spring.mvc.hiddenmethod.filter.enabled=true` in your `application.properties` to enable it again. — Wim Deblauwe, Mar 09 '20 at 19:09
Note that using `HiddenHttpMethodFilter` opens your application to a whole bunch of new CSRF attacks. Be sure you have other means of blocking requests from external forms. And no, CORS does not work for forms. — Nux, Jun 08 '20 at 11:54

Wim Deblauwe · Answer 1 · 2021-12-31T09:51:19.057

12

Add the following to your application.properties:

spring.mvc.hiddenmethod.filter.enabled=true

This will automatically configure the HiddenHttpMethodFilter.

Next, use th:method="DELETE" on the form to have Thymeleaf add the hidden field automatically.

(Spring Boot < 2.2 always registers the filter, for Spring Boot 2.2 or higher you need to set the property)

edited Dec 31 '21 at 09:51

answered May 28 '20 at 11:08

Wim Deblauwe

22,652
17
122
191

score 6 · Answer 2 · edited Dec 06 '18 at 11:48

6

I had dealt with this problem not long ago. You only need to and a Bean under anyone @Configuration class. Such as:
add HiddenHttpMethodFilter

Then, you could use delete request on form. Such as:

edited Dec 06 '18 at 11:48

Tobias Wilfert

894
3
15
26

answered Dec 06 '18 at 10:03

Brain U

61
1
2

5

If you use Spring Boot, add `spring.mvc.hiddenmethod.filter.enabled=true` to your `application.properties` to avoid the manual bean configuration. If you use Thymeleaf for the templates, you can use `th:method="DELETE"` to have Thymelaf add the hidden field automatically. – Wim Deblauwe Mar 09 '20 at 19:11
@WimDeblauwe your comment deserves more upvotes, worked for me! – Omnibyte May 28 '20 at 11:04
Turned it into a separate answer now for easier upvoting :) – Wim Deblauwe May 28 '20 at 11:09

Spring Boot how to use HiddenHttpMethodFilter

2 Answers2

Linked