Add Test that HiddenHttpMethodFilter before FilterChainProxy

Fixes gh-3447
pull/3651/merge
Rob Winch 9 years ago
parent 8e114e3e2a
commit f543e3259e

@ -36,11 +36,15 @@ import org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration;
import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration; import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration;
import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration; import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration;
import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration; import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration;
import org.springframework.boot.test.TestRestTemplate;
import org.springframework.context.ConfigurableApplicationContext; import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import; import org.springframework.context.annotation.Import;
import org.springframework.core.Ordered; import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@ -51,8 +55,11 @@ import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers; import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.WebApplicationContext;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
@ -60,6 +67,7 @@ import static org.junit.Assert.assertTrue;
* Tests for {@link SpringBootWebSecurityConfiguration}. * Tests for {@link SpringBootWebSecurityConfiguration}.
* *
* @author Dave Syer * @author Dave Syer
* @author Rob Winch
*/ */
public class SpringBootWebSecurityConfigurationTests { public class SpringBootWebSecurityConfigurationTests {
@ -160,6 +168,30 @@ public class SpringBootWebSecurityConfigurationTests {
new UsernamePasswordAuthenticationToken("dave", "secret"))); new UsernamePasswordAuthenticationToken("dave", "secret")));
} }
// gh-3447
@Test
public void testHiddenHttpMethodFilterOrderedFirst()
throws Exception {
this.context = SpringApplication.run(DenyPostRequestConfig.class,
"--server.port=0");
int port = Integer.parseInt(this.context.getEnvironment().getProperty("local.server.port"));
TestRestTemplate rest = new TestRestTemplate();
// not overriding causes forbidden
MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
ResponseEntity<Object> result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode());
// override method with GET
form = new LinkedMultiValueMap<String, String>();
form.add("_method", "GET");
result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
assertEquals(HttpStatus.NOT_FOUND, result.getStatusCode());
}
@Configuration @Configuration
@Import(TestWebConfiguration.class) @Import(TestWebConfiguration.class)
@Order(Ordered.LOWEST_PRECEDENCE) @Order(Ordered.LOWEST_PRECEDENCE)
@ -219,4 +251,15 @@ public class SpringBootWebSecurityConfigurationTests {
} }
@MinimalWebConfiguration
@Import(SecurityAutoConfiguration.class)
protected static class DenyPostRequestConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/**").denyAll();
}
}
} }

Loading…
Cancel
Save