Restrict HTTP methods on Reactive HiddenHttpMethodFilter

This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter
(Reactive variant) to the following: PUT, DELETE, PATCH.

This filter is meant to be used to simulate those methods from HTML
forms sent by browsers, so no other methods are allowed.

Issue: SPR-16836
This commit is contained in:
Brian Clozel
2018-05-18 14:35:35 +02:00
parent f64fa3dea1
commit a5cd01a4c8
2 changed files with 21 additions and 3 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests {
assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
}
@Test
public void filterWithParameterMethodNotAllowed() {
postForm("_method=TRACE").block(Duration.ZERO);
assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
}
@Test
public void filterWithNoParameter() {
postForm("").block(Duration.ZERO);