SEC-2292: Add test to assert CSRF bypass of methods is case sensitive

HTTP methods should be case sensitive, so add test to ensure that this is
the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1

web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java

@@ -311,6 +311,33 @@ public class CsrfFilterTests {
         }
     }
 
+    /**
+     * SEC-2292 Should not allow other cases through since spec states HTTP
+     * method is case sensitive
+     * http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
+     *
+     * @throws ServletException
+     * @throws IOException
+     */
+    @Test
+    public void doFilterDefaultRequireCsrfProtectionMatcherAllowedMethodsCaseSensitive()
+            throws ServletException, IOException {
+        filter = new CsrfFilter(tokenRepository);
+        filter.setAccessDeniedHandler(deniedHandler);
+
+        for (String method : Arrays.asList("get", "TrAcE", "oPTIOnS", "hEaD")) {
+            resetRequestResponse();
+            when(tokenRepository.loadToken(request)).thenReturn(token);
+            request.setMethod(method);
+
+            filter.doFilter(request, response, filterChain);
+
+            verify(deniedHandler).handle(eq(request), eq(response),
+                    any(InvalidCsrfTokenException.class));
+            verifyZeroInteractions(filterChain);
+        }
+    }
+
     @Test
     public void doFilterDefaultRequireCsrfProtectionMatcherDeniedMethods()
             throws ServletException, IOException {