From 1b81f6f4c0abcb441781a36f88b0662191e62c61 Mon Sep 17 00:00:00 2001 From: Brian Clozel Date: Tue, 12 Jun 2018 16:39:42 +0200 Subject: [PATCH 1/3] Fix security test with changes in SPR-16836 This commit replaces the use of a GET method by a DELETE method for testing that the HiddenHttpMethodFilter is ordered before the security filter. With SPR-16836 changes, only PUT DELETE and PATCH are now allowed. --- .../SpringBootWebSecurityConfigurationTests.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java index 07812e2891..a73dce757a 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2017 the original author or authors. + * Copyright 2012-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -180,9 +180,9 @@ public class SpringBootWebSecurityConfigurationTests { .postForEntity("http://localhost:" + port + "/", form, Object.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); - // override method with GET + // override method with DELETE form = new LinkedMultiValueMap(); - form.add("_method", "GET"); + form.add("_method", "DELETE"); result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); @@ -337,7 +337,8 @@ public class SpringBootWebSecurityConfigurationTests { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().antMatchers(HttpMethod.POST, "/**").denyAll(); + http.authorizeRequests().mvcMatchers(HttpMethod.POST, "/**").denyAll().and() + .csrf().disable(); } } From 678d3dc394eca7464abf9b3088f73de8c5692908 Mon Sep 17 00:00:00 2001 From: Stephane Nicoll Date: Wed, 13 Jun 2018 08:49:57 +0200 Subject: [PATCH 2/3] Upgrade to Spring Framework 4.3.18.RELEASE Closes gh-13352 --- spring-boot-dependencies/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-dependencies/pom.xml b/spring-boot-dependencies/pom.xml index 11f53b0ac9..3f33660ad3 100644 --- a/spring-boot-dependencies/pom.xml +++ b/spring-boot-dependencies/pom.xml @@ -151,7 +151,7 @@ 1.17 5.5.5 1.0-groovy-2.4 - 4.3.18.BUILD-SNAPSHOT + 4.3.18.RELEASE 1.7.8.RELEASE 1.2.6.RELEASE 3.0.9.RELEASE From d24647b07c137754584694574caad202942c8881 Mon Sep 17 00:00:00 2001 From: Stephane Nicoll Date: Wed, 13 Jun 2018 08:51:40 +0200 Subject: [PATCH 3/3] Upgrade to Spring Framework 5.0.7.RELEASE Closes gh-13353 --- spring-boot-project/spring-boot-dependencies/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/pom.xml b/spring-boot-project/spring-boot-dependencies/pom.xml index 7d2121433f..159a400816 100644 --- a/spring-boot-project/spring-boot-dependencies/pom.xml +++ b/spring-boot-project/spring-boot-dependencies/pom.xml @@ -151,7 +151,7 @@ 1.7.25 1.19 6.6.3 - 5.0.7.BUILD-SNAPSHOT + 5.0.7.RELEASE 2.0.3.RELEASE 4.0.1.RELEASE 2.0.2.RELEASE