diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java index e79304b6d2a..7fb57942fea 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java @@ -36,11 +36,15 @@ import org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration; import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration; import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration; import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration; +import org.springframework.boot.test.TestRestTemplate; import org.springframework.context.ConfigurableApplicationContext; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; +import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; @@ -51,8 +55,11 @@ import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultMatchers; import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; import org.springframework.web.context.WebApplicationContext; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; @@ -60,6 +67,7 @@ import static org.junit.Assert.assertTrue; * Tests for {@link SpringBootWebSecurityConfiguration}. * * @author Dave Syer + * @author Rob Winch */ public class SpringBootWebSecurityConfigurationTests { @@ -160,6 +168,30 @@ public class SpringBootWebSecurityConfigurationTests { new UsernamePasswordAuthenticationToken("dave", "secret"))); } + // gh-3447 + @Test + public void testHiddenHttpMethodFilterOrderedFirst() + throws Exception { + this.context = SpringApplication.run(DenyPostRequestConfig.class, + "--server.port=0"); + int port = Integer.parseInt(this.context.getEnvironment().getProperty("local.server.port")); + TestRestTemplate rest = new TestRestTemplate(); + + // not overriding causes forbidden + MultiValueMap form = new LinkedMultiValueMap(); + + ResponseEntity result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class); + assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode()); + + + // override method with GET + form = new LinkedMultiValueMap(); + form.add("_method", "GET"); + + result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class); + assertEquals(HttpStatus.NOT_FOUND, result.getStatusCode()); + } + @Configuration @Import(TestWebConfiguration.class) @Order(Ordered.LOWEST_PRECEDENCE) @@ -219,4 +251,15 @@ public class SpringBootWebSecurityConfigurationTests { } + @MinimalWebConfiguration + @Import(SecurityAutoConfiguration.class) + protected static class DenyPostRequestConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .antMatchers(HttpMethod.POST, "/**").denyAll(); + } + } }