Add Test that HiddenHttpMethodFilter before FilterChainProxy

Fixes gh-3447

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java

@@ -36,11 +36,15 @@ import org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration;
+import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -51,8 +55,11 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import org.springframework.web.context.WebApplicationContext;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
@@ -60,6 +67,7 @@ import static org.junit.Assert.assertTrue;
  * Tests for {@link SpringBootWebSecurityConfiguration}.
  *
  * @author Dave Syer
+ * @author Rob Winch
  */
 public class SpringBootWebSecurityConfigurationTests {
 
@@ -160,6 +168,30 @@ public class SpringBootWebSecurityConfigurationTests {
 				new UsernamePasswordAuthenticationToken("dave", "secret")));
 	}
 
+	// gh-3447
+	@Test
+	public void testHiddenHttpMethodFilterOrderedFirst()
+			throws Exception {
+		this.context = SpringApplication.run(DenyPostRequestConfig.class,
+				"--server.port=0");
+		int port = Integer.parseInt(this.context.getEnvironment().getProperty("local.server.port"));
+		TestRestTemplate rest = new TestRestTemplate();
+
+		// not overriding causes forbidden
+		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
+
+		ResponseEntity<Object> result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
+		assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode());
+
+
+		// override method with GET
+		form = new LinkedMultiValueMap<String, String>();
+		form.add("_method", "GET");
+
+		result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
+		assertEquals(HttpStatus.NOT_FOUND, result.getStatusCode());
+	}
+
 	@Configuration
 	@Import(TestWebConfiguration.class)
 	@Order(Ordered.LOWEST_PRECEDENCE)
@@ -219,4 +251,15 @@ public class SpringBootWebSecurityConfigurationTests {
 
 	}
 
+	@MinimalWebConfiguration
+	@Import(SecurityAutoConfiguration.class)
+	protected static class DenyPostRequestConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.authorizeRequests()
+					.antMatchers(HttpMethod.POST, "/**").denyAll();
+		}
+	}
 }