From 1b81f6f4c0abcb441781a36f88b0662191e62c61 Mon Sep 17 00:00:00 2001 From: Brian Clozel Date: Tue, 12 Jun 2018 16:39:42 +0200 Subject: [PATCH] Fix security test with changes in SPR-16836 This commit replaces the use of a GET method by a DELETE method for testing that the HiddenHttpMethodFilter is ordered before the security filter. With SPR-16836 changes, only PUT DELETE and PATCH are now allowed. --- .../SpringBootWebSecurityConfigurationTests.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java index 07812e28911..a73dce757a2 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2017 the original author or authors. + * Copyright 2012-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -180,9 +180,9 @@ public class SpringBootWebSecurityConfigurationTests { .postForEntity("http://localhost:" + port + "/", form, Object.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); - // override method with GET + // override method with DELETE form = new LinkedMultiValueMap(); - form.add("_method", "GET"); + form.add("_method", "DELETE"); result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); @@ -337,7 +337,8 @@ public class SpringBootWebSecurityConfigurationTests { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().antMatchers(HttpMethod.POST, "/**").denyAll(); + http.authorizeRequests().mvcMatchers(HttpMethod.POST, "/**").denyAll().and() + .csrf().disable(); } }