From 5f6bcc0e1ed7bdd96750e8650a3f073127581e13 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 18 Aug 2010 13:01:16 +0100
Subject: [PATCH] SEC-1540: Fix to add HTTP-method specific support for
 namespace requires-channel attribute.

---
 .../security/config/http/MatcherType.java     |  2 +-
 .../config/http/MiscHttpConfigTests.groovy    | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/MatcherType.java b/config/src/main/java/org/springframework/security/config/http/MatcherType.java
index 4da8b09ea6..0380d3f997 100644
--- a/config/src/main/java/org/springframework/security/config/http/MatcherType.java
+++ b/config/src/main/java/org/springframework/security/config/http/MatcherType.java
@@ -35,7 +35,7 @@ public enum MatcherType {
     }
 
     BeanDefinition createMatcher(String path, String method) {
-        if ("/**".equals(path)) {
+        if ("/**".equals(path) && method == null) {
             return new RootBeanDefinition(AnyRequestMatcher.class);
         }
 
diff --git a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
index 09cc1b6da4..32aad1a490 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
@@ -170,6 +170,40 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
         attrs.contains(new SecurityConfig("ROLE_B"))
     }
 
+   def httpMethodMatchIsSupportedForRequiresChannel() {
+       httpAutoConfig {
+           'intercept-url'(pattern: '/anyurl')
+           'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
+       }
+       createAppContext()
+
+       def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
+       def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
+       def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
+
+       expect:
+       attrs.size() == 1
+       attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
+       attrsPost == null
+   }
+
+   def httpMethodMatchIsSupportedForRequiresChannelAny() {
+       httpAutoConfig {
+           'intercept-url'(pattern: '/**')
+           'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
+       }
+       createAppContext()
+
+       def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
+       def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
+       def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
+
+       expect:
+       attrs.size() == 1
+       attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
+       attrsPost == null
+   }
+
     def oncePerRequestAttributeIsSupported() {
         xml.http('once-per-request': 'false') {
             'http-basic'()