Fix security test with changes in SPR-16836

bclozel · bclozel · commit 1b81f6f4c0ab · 2018-06-12T16:39:42.000+02:00
This commit replaces the use of a GET method by a DELETE method for
testing that the HiddenHttpMethodFilter is ordered before the security
filter. With SPR-16836 changes, only PUT DELETE and PATCH are now
allowed.
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -180,9 +180,9 @@ public void testHiddenHttpMethodFilterOrderedFirst() throws Exception {
 				.postForEntity("http://localhost:" + port + "/", form, Object.class);
 		assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
 
-		// override method with GET
+		// override method with DELETE
 		form = new LinkedMultiValueMap<String, String>();
-		form.add("_method", "GET");
+		form.add("_method", "DELETE");
 
 		result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
 		assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
@@ -337,7 +337,8 @@ protected static class DenyPostRequestConfig extends WebSecurityConfigurerAdapte
 
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
-			http.authorizeRequests().antMatchers(HttpMethod.POST, "/**").denyAll();
+			http.authorizeRequests().mvcMatchers(HttpMethod.POST, "/**").denyAll().and()
+					.csrf().disable();
 		}
 
 	}
