diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index 70d4f75e78..6dafcd3789 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -396,6 +396,11 @@ class HttpConfigurationBuilder {
BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
+ String method = urlElt.getAttribute(ATT_HTTP_METHOD);
+ if(StringUtils.hasText(method)) {
+ requestKey.getConstructorArgumentValues().addGenericArgumentValue(method);
+ }
+
RootBeanDefinition channelAttributes = new RootBeanDefinition(ChannelAttributeFactory.class);
channelAttributes.getConstructorArgumentValues().addGenericArgumentValue(requiredChannel);
channelAttributes.setFactoryMethodName("createChannelAttributes");
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
index 148366eb0d..2d295115c2 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@@ -56,6 +56,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
static final String OPT_FILTERS_NONE = "none";
static final String ATT_REQUIRES_CHANNEL = "requires-channel";
+ static final String ATT_HTTP_METHOD = "method";
private static final String ATT_LOWERCASE_COMPARISONS = "lowercase-comparisons";
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index 93ed999143..bb0a55561a 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -85,6 +85,7 @@ import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
/**
@@ -407,6 +408,23 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(attrs.contains(new SecurityConfig("ROLE_B")));
}
+
+ @Test
+ public void httpMethodMatchIsSupportedForRequiresChannel() throws Exception {
+ setContext(
+ " " +
+ " " +
+ " " +
+ " " + AUTH_PROVIDER_XML);
+
+ ChannelProcessingFilter filter = getFilter(ChannelProcessingFilter.class);
+ FilterInvocationSecurityMetadataSource fids = (FilterInvocationSecurityMetadataSource)FieldUtils.getFieldValue(filter,"securityMetadataSource");
+ Collection attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
+ assertEquals(1, attrs.size());
+ attrs = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
+ assertEquals(null, attrs);
+ }
+
@Test
public void oncePerRequestAttributeIsSupported() throws Exception {
setContext("" + AUTH_PROVIDER_XML);