diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
index 05ddb22564..0628529318 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
@@ -15,7 +15,10 @@
*/
package org.springframework.security.config.annotation.web.configurers
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
import org.springframework.security.core.userdetails.PasswordEncodedUser
+import org.springframework.security.web.firewall.StrictHttpFirewall
import javax.servlet.http.HttpServletResponse
@@ -44,7 +47,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
@Unroll
def "csrf applied by default"() {
setup:
- loadConfig(CsrfAppliedDefaultConfig)
+ loadConfig(CsrfAppliedDefaultConfig, AllowHttpMethodsFirewallConfig)
request.method = httpMethod
clearCsrfToken()
when:
@@ -66,11 +69,21 @@ class CsrfConfigurerTests extends BaseSpringSpec {
def "csrf default creates CsrfRequestDataValueProcessor"() {
when:
- loadConfig(CsrfAppliedDefaultConfig)
+ loadConfig(CsrfAppliedDefaultConfig, AllowHttpMethodsFirewallConfig)
then:
context.getBean(RequestDataValueProcessor)
}
+ @Configuration
+ static class AllowHttpMethodsFirewallConfig {
+ @Bean
+ StrictHttpFirewall strictHttpFirewall() {
+ StrictHttpFirewall result = new StrictHttpFirewall();
+ result.setAllowedHttpMethods(StrictHttpFirewall.ALLOW_ANY_HTTP_METHOD);
+ return result;
+ }
+ }
+
@EnableWebSecurity
static class CsrfAppliedDefaultConfig extends WebSecurityConfigurerAdapter {
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.groovy
index 3ace0a8dc5..54d9e16b97 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.groovy
@@ -46,7 +46,7 @@ public class NamespaceHttpFirewallTests extends BaseSpringSpec {
MockFilterChain chain
def setup() {
- request = new MockHttpServletRequest()
+ request = new MockHttpServletRequest("GET", "")
response = new MockHttpServletResponse()
chain = new MockFilterChain()
}
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.groovy
index b36c150117..2b8dd04b90 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.groovy
@@ -44,7 +44,7 @@ public class NamespaceHttpPortMappingsTests extends BaseSpringSpec {
MockFilterChain chain
def setup() {
- request = new MockHttpServletRequest()
+ request = new MockHttpServletRequest("GET", "")
request.setMethod("GET")
response = new MockHttpServletResponse()
chain = new MockFilterChain()
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
index fd9a1aecbf..d73f30c526 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
@@ -371,7 +371,7 @@ public class NamespaceRememberMeTests extends BaseSpringSpec {
}
Cookie createRememberMeCookie() {
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
super.setupCsrf("CSRF_TOKEN", request, response)
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy
index 1f2b8e78b3..18520a9855 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy
@@ -270,7 +270,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
}
Cookie createRememberMeCookie() {
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
super.setupCsrf("CSRF_TOKEN", request, response)
diff --git a/config/src/test/groovy/org/springframework/security/config/http/AbstractHttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/AbstractHttpConfigTests.groovy
index fc3e73baaa..53ea917d45 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/AbstractHttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/AbstractHttpConfigTests.groovy
@@ -67,7 +67,7 @@ abstract class AbstractHttpConfigTests extends AbstractXmlConfigTests {
}
FilterInvocation createFilterinvocation(String path, String method) {
- MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setMethod(method);
request.setRequestURI(null);
request.setServletPath(path);
diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
index de2a887c86..ca3c807cc7 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
@@ -69,7 +69,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, defaultHeaders)
}
@@ -83,7 +83,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, defaultHeaders)
}
@@ -98,7 +98,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
def expectedHeaders = [:] << defaultHeaders
expectedHeaders['X-Frame-Options'] = 'SAMEORIGIN'
@@ -131,7 +131,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
expect:
assertHeaders(response, ['X-Content-Type-Options':'nosniff'])
@@ -147,7 +147,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
expect:
assertHeaders(response, ['X-Frame-Options':'DENY'])
@@ -163,7 +163,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
expect:
assertHeaders(response, ['X-Frame-Options':'DENY'])
@@ -179,7 +179,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
expect:
assertHeaders(response, ['X-Frame-Options':'SAMEORIGIN'])
@@ -228,7 +228,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com'])
@@ -246,7 +246,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- def request = new MockHttpServletRequest()
+ def request = new MockHttpServletRequest("GET", "")
request.setParameter("from", "https://example.com");
hf.doFilter(request, response, new MockFilterChain())
@@ -265,7 +265,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['a':'b'])
@@ -283,7 +283,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response , ['a':'b', 'c':'d'])
@@ -304,7 +304,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['abc':'def'])
}
@@ -346,7 +346,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['X-XSS-Protection':'1; mode=block'])
@@ -363,7 +363,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['X-XSS-Protection':'1; mode=block'])
@@ -380,7 +380,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['X-XSS-Protection':'0'])
@@ -413,7 +413,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
'Expires' : '0',
@@ -431,7 +431,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains'])
}
@@ -447,7 +447,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
response.headerNames.empty
}
@@ -465,7 +465,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['Strict-Transport-Security': 'max-age=1'])
}
@@ -515,7 +515,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="'])
}
@@ -535,7 +535,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="'])
}
@@ -555,7 +555,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
response.headerNames.empty
}
@@ -575,7 +575,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=604800 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="'])
}
@@ -595,7 +595,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="'])
}
@@ -615,7 +615,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; includeSubDomains'])
}
@@ -635,7 +635,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def springSecurityFilterChain = appContext.getBean(FilterChainProxy)
MockHttpServletResponse response = new MockHttpServletResponse()
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="http://example.net/pkp-report"'])
}
@@ -657,7 +657,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
expectedHeaders.remove('Expires')
expectedHeaders.remove('Pragma')
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -675,7 +675,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def expectedHeaders = [:] << defaultHeaders
expectedHeaders.remove('X-Content-Type-Options')
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -693,7 +693,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def expectedHeaders = [:] << defaultHeaders
expectedHeaders.remove('Strict-Transport-Security')
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -714,7 +714,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
MockHttpServletResponse response = new MockHttpServletResponse()
def expectedHeaders = [:] << defaultHeaders
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -732,7 +732,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def expectedHeaders = [:] << defaultHeaders
expectedHeaders.remove('X-Frame-Options')
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -750,7 +750,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
def expectedHeaders = [:] << defaultHeaders
expectedHeaders.remove('X-XSS-Protection')
when:
- springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, expectedHeaders)
}
@@ -853,7 +853,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
def expectedHeaders = [:] << defaultHeaders
expectedHeaders['Content-Security-Policy'] = 'default-src \'self\''
then:
@@ -885,7 +885,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
then:
assertHeaders(response, ['Content-Security-Policy':'default-src \'self\''])
}
@@ -913,7 +913,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest(secure:true, method: "GET"), response, new MockFilterChain())
def expectedHeaders = [:] << defaultHeaders
expectedHeaders['Content-Security-Policy-Report-Only'] = 'default-src https:; report-uri https://example.com/'
then:
@@ -931,7 +931,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['Referrer-Policy': 'no-referrer'])
}
@@ -947,7 +947,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
when:
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
- hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
+ hf.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain())
then:
assertHeaders(response, ['Referrer-Policy': 'same-origin'])
}
diff --git a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
index 4c4bab3b99..f84677d306 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
@@ -142,7 +142,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
createAppContext()
then:
Filter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
request.setServletPath("/unprotected");
debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
request.setServletPath("/nomatch");
diff --git a/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
index 6f06c39411..6d54e6b384 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
@@ -93,7 +93,7 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
UserDetailsService uds = appContext.getBean('uds')
UserDetailsService uds2 = appContext.getBean('uds2')
when:
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
request.servletPath = "/first/login"
@@ -104,7 +104,7 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
verify(uds).loadUserByUsername(anyString()) || true
verifyZeroInteractions(uds2) || true
when:
- MockHttpServletRequest request2 = new MockHttpServletRequest()
+ MockHttpServletRequest request2 = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response2 = new MockHttpServletResponse()
MockFilterChain chain2 = new MockFilterChain()
request2.servletPath = "/login"
diff --git a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
index a4e2e6748c..4b7908e5e7 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
@@ -115,7 +115,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
createAppContext()
SessionRegistry registry = appContext.getBean(SessionRegistry)
registry.registerNewSession("1", new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER")))
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
String credentials = "user:password"
request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64())
@@ -134,7 +134,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
}
}
createAppContext()
- MockHttpServletRequest request = new MockHttpServletRequest()
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
String originalSessionId = request.session.id
String credentials = "user:password"
@@ -282,7 +282,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
mockBean(SessionAuthenticationStrategy,'ss')
createAppContext()
- MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.getSession();
request.servletPath = "/login"
request.setMethod("POST");
@@ -343,15 +343,15 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
}
};
when: "First session is established"
- seshFilter.doFilter(new MockHttpServletRequest(), response, new MockFilterChain());
+ seshFilter.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain());
then: "ok"
mockResponse.redirectedUrl == null
when: "Second session is established"
- seshFilter.doFilter(new MockHttpServletRequest(), response, new MockFilterChain());
+ seshFilter.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain());
then: "ok"
mockResponse.redirectedUrl == null
when: "Third session is established"
- seshFilter.doFilter(new MockHttpServletRequest(), response, new MockFilterChain());
+ seshFilter.doFilter(new MockHttpServletRequest("GET", ""), response, new MockFilterChain());
then: "Rejected"
mockResponse.redirectedUrl == "/max-exceeded";
}
diff --git a/config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java b/config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java
index ba898c74ae..2ed1916a9e 100644
--- a/config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java
@@ -152,7 +152,7 @@ public class FilterChainProxyConfigTests {
}
private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
- MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setServletPath("/foo/secure/super/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
index 3cc4c10105..4adca37d33 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
@@ -54,7 +54,7 @@ public class WebSecurityTests {
@Before
public void setup() {
- this.request = new MockHttpServletRequest();
+ this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
index 3ddf21e6d6..51b0a96080 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
@@ -274,7 +274,7 @@ public class WebSecurityConfigurationTests {
public void securityExpressionHandlerWhenPermissionEvaluatorBeanThenPermissionEvaluatorUsed() throws Exception {
this.spring.register(WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig.class).autowire();
TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "notused");
- FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
+ FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest("GET", ""), new MockHttpServletResponse(), new MockFilterChain());
AbstractSecurityExpressionHandler handler = this.spring.getContext().getBean(AbstractSecurityExpressionHandler.class);
EvaluationContext evaluationContext = handler.createEvaluationContext(authentication, invocation);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
index e05f6e7a01..697ddc2937 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
@@ -68,7 +68,7 @@ public class AuthorizeRequestsTests {
@Before
public void setup() {
this.servletContext = spy(new MockServletContext());
- this.request = new MockHttpServletRequest();
+ this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java
index 3a5d338b2e..fdb6ce5e96 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java
@@ -51,7 +51,7 @@ public class HttpSecurityAntMatchersTests {
@Before
public void setup() {
- request = new MockHttpServletRequest();
+ request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java
index b327926ab6..30200a83c0 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java
@@ -52,7 +52,7 @@ public class HttpSecurityLogoutTests {
@Before
public void setup() {
- request = new MockHttpServletRequest();
+ request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
index 6835425ddf..1c451a737f 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
@@ -55,7 +55,7 @@ public class HttpSecurityRequestMatchersTests {
@Before
public void setup() {
- this.request = new MockHttpServletRequest();
+ this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
index 441a017546..6d5113c9ba 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
@@ -72,7 +72,7 @@ public class SessionManagementConfigurerServlet31Tests {
@Before
public void setup() {
- request = new MockHttpServletRequest();
+ request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@@ -88,7 +88,7 @@ public class SessionManagementConfigurerServlet31Tests {
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
spy(ReflectionUtils.class);
Method method = mock(Method.class);
- MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.getSession();
request.setServletPath("/login");
request.setMethod("POST");
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
index 0f47ac8560..2a598af47a 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
@@ -55,7 +55,7 @@ public class UrlAuthorizationConfigurerTests {
@Before
public void setup() {
- this.request = new MockHttpServletRequest();
+ this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
@@ -211,4 +211,4 @@ public class UrlAuthorizationConfigurerTests {
this.context.getAutowireCapableBeanFactory().autowireBean(this);
}
-}
\ No newline at end of file
+}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
index 08917c1bad..ca12f7556c 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
@@ -140,7 +140,7 @@ public class OAuth2ClientConfigurerTests {
AuthorizationRequestRepository
+ * Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", + * "PATCH", "POST", and "PUT". + *
+ * + * @param allowedHttpMethods the case-sensitive collection of HTTP methods that are allowed. + * @see #setUnsafeAllowAnyHttpMethod(boolean) + * @since 5.1 + */ + public void setAllowedHttpMethods(Collection
* Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
@@ -242,6 +289,7 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
+ rejectForbiddenHttpMethod(request);
rejectedBlacklistedUrls(request);
if (!isNormalized(request)) {
@@ -259,6 +307,18 @@ public class StrictHttpFirewall implements HttpFirewall {
};
}
+ private void rejectForbiddenHttpMethod(HttpServletRequest request) {
+ if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
+ return;
+ }
+ if (!this.allowedHttpMethods.contains(request.getMethod())) {
+ throw new RequestRejectedException("The request was rejected because the HTTP method \"" +
+ request.getMethod() +
+ "\" was not included within the whitelist " +
+ this.allowedHttpMethods);
+ }
+ }
+
private void rejectedBlacklistedUrls(HttpServletRequest request) {
for (String forbidden : this.encodedUrlBlacklist) {
if (encodedUrlContains(request, forbidden)) {
@@ -277,6 +337,18 @@ public class StrictHttpFirewall implements HttpFirewall {
return new FirewalledResponse(response);
}
+ private static Set