Fix security test with changes in SPR-16836

This commit replaces the use of a GET method by a DELETE method for
testing that the HiddenHttpMethodFilter is ordered before the security
filter. With SPR-16836 changes, only PUT DELETE and PATCH are now
allowed.
pull/13438/merge
Brian Clozel 7 years ago
parent 9d9acc92e3
commit 1b81f6f4c0

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2017 the original author or authors. * Copyright 2012-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -180,9 +180,9 @@ public class SpringBootWebSecurityConfigurationTests {
.postForEntity("http://localhost:" + port + "/", form, Object.class); .postForEntity("http://localhost:" + port + "/", form, Object.class);
assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
// override method with GET // override method with DELETE
form = new LinkedMultiValueMap<String, String>(); form = new LinkedMultiValueMap<String, String>();
form.add("_method", "GET"); form.add("_method", "DELETE");
result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class); result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
@ -337,7 +337,8 @@ public class SpringBootWebSecurityConfigurationTests {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(HttpMethod.POST, "/**").denyAll(); http.authorizeRequests().mvcMatchers(HttpMethod.POST, "/**").denyAll().and()
.csrf().disable();
} }
} }

Loading…
Cancel
Save