Spring Boot how to use HiddenHttpMethodFilter

Asked 2/12, 2015 at 17:0 Answered 13/8, 2022 at 10:46

As we all know, forms only support GET or POST methods, like this:

<form method="[GET|POST]" action="/user/create">

If our controller has a PUT mapping, we get a 405 error, which means we can only use GET or POST but not PUT.

public class UserController {

    @Autowired
    private UserService userService;

    @RequestMapping(value = "/create", method = RequestMethod.PUT)
    public ModelAndView createUser(@ModelAttribute("user") Users user, BindingResult bindingResult){
        ModelAndView mv = new ModelAndView("list");
        // do something...
        return mv;
    }
}

In spring MVC, we can solve this problem:

First, create a hidden field like this:

<form method="[GET|POST]" action="/user/create">
    <input type="hidden" name="_method" value="put"/>

Second, add a filter

<filter>  
    <filter-name>HiddenHttpMethodFilter</filter-name>  
    <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>  
</filter>  

<filter-mapping>  
    <filter-name>HiddenHttpMethodFilter</filter-name>  
    <servlet-name>springmvc</servlet-name>  
</filter-mapping>

In this way, we can use the PUT method.

But how can I do it in Spring Boot? I know Spring Boot have a class named WebMvcAutoConfiguration which owns a method hiddenHttpMethodFilter, but how can I use the class?

Nardoo answered 2/12, 2015 at 17:0 Comment(5)

You shouldn't need to do anything as Spring Boot will automatically configure the hidden http method filter for you – Etheridge 2/12, 2015 at 21:59

@AndyWilkinson thanks a lot man. I edit my question, But if I do not configure the hidden http method filter, how can I use a put submit in html form. – Nardoo 3/12, 2015 at 0:48

Like you normally would. Just put the element in the form... – Vlissingen 3/12, 2015 at 7:7

Since Spring Boot 2.2, the filter is no longer automatically configured. Set spring.mvc.hiddenmethod.filter.enabled=true in your application.properties to enable it again. – Mertz 9/3, 2020 at 19:9

Note that using HiddenHttpMethodFilter opens your application to a whole bunch of new CSRF attacks. Be sure you have other means of blocking requests from external forms. And no, CORS does not work for forms. – Thomasinathomasine 8/6, 2020 at 11:54

Add the following to your application.properties file:

spring.mvc.hiddenmethod.filter.enabled=true

This will automatically configure the HiddenHttpMethodFilter class.

Next, use th:method="DELETE" on the form to have Thymeleaf add the hidden field automatically.

Note

For Spring Boot < 2.2 always registers the filter
For Spring Boot 2.2 or higher you need to set the property

Mertz answered 28/5, 2020 at 11:8 Comment(4)

[Updated]@Deblauwe. I use Sping boot 2.7.0. I put in the form th:method="delete", and atDeleteMapping, and the : "spring.mvc.hiddenmethod.filter.enabled=true" in application.yaml, and it does not work. It says about "Request method post not supported". Any idea please? It is not supported in newest Spring boot versions. Thanks in advance – Skepticism 23/6, 2022 at 6:59

@Skepticism please ask a separate question for this. – Mertz 24/6, 2022 at 7:27

Hello @Deblauwe sir. Thanks for the reply. I used the atBean FilterRegistrationBean, I saw in the next reply. For me, my spring boot did not to create it for me, using the yaml property you mentioned. But, I will make this comment a separate question as you told me, so, you can help me, and the thymeleaf community. I will do it in the next 2 hours (I am in work right now) – Skepticism 24/6, 2022 at 9:36

@Deblauwe - Hello sir. I made this question as you adviced me: "stackoverflow.com/questions/72744349/…". Your experience in this topic will be valuable to me. Thanks in advance – Skepticism 24/6, 2022 at 12:54

I had dealt with this problem not long ago. You only need to and a Bean under anyone @Configuration class. Such as:
add HiddenHttpMethodFilter

Then, you could use delete request on form. Such as:

Pestle answered 6/12, 2018 at 10:3 Comment(3)

If you use Spring Boot, add spring.mvc.hiddenmethod.filter.enabled=true to your application.properties to avoid the manual bean configuration. If you use Thymeleaf for the templates, you can use th:method="DELETE" to have Thymelaf add the hidden field automatically. – Mertz 9/3, 2020 at 19:11

@WimDeblauwe your comment deserves more upvotes, worked for me! – Harold 28/5, 2020 at 11:4

Turned it into a separate answer now for easier upvoting :) – Mertz 28/5, 2020 at 11:9

Addition to Wim Deblauwe answer. If you use application.yml, you need to add: spring:mvc:hiddenmethod:filter:enabled: true

Cloris answered 13/8, 2022 at 10:46 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Hadria 16/8, 2022 at 20:16

Recommended topics

Hot tags