Restrict HTTP methods on Reactive HiddenHttpMethodFilter
This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter (Reactive variant) to the following: PUT, DELETE, PATCH. This filter is meant to be used to simulate those methods from HTML forms sent by browsers, so no other methods are allowed. Issue: SPR-16836
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests {
|
||||
assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWithParameterMethodNotAllowed() {
|
||||
postForm("_method=TRACE").block(Duration.ZERO);
|
||||
assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWithNoParameter() {
|
||||
postForm("").block(Duration.ZERO);
|
||||
|
||||
Reference in New Issue
Block a user