SONAR-6881 support HEAD HTTP method

diff --git a/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java b/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java
index 702a6baa2b253f59a0f366729eb387221ba6b623..98d0848e0d0d9a442ae0bcb80d40c56201087ed2 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java
@@ -37,7 +37,7 @@ import javax.servlet.http.HttpServletResponse;
  */
 public class SecurityServletFilter implements Filter {
 
-  private static final Set<String> ALLOWED_HTTP_METHODS = ImmutableSet.of("DELETE", "GET", "POST", "PUT");
+  private static final Set<String> ALLOWED_HTTP_METHODS = ImmutableSet.of("DELETE", "GET", "HEAD", "POST", "PUT");
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
@@ -50,7 +50,7 @@ public class SecurityServletFilter implements Filter {
   }
 
   private static void doHttpFilter(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain) throws IOException, ServletException {
-    // SONAR-6881 Disable OPTIONS, HEAD and TRACE methods
+    // SONAR-6881 Disable OPTIONS and TRACE methods
     if (!ALLOWED_HTTP_METHODS.contains(httpRequest.getMethod())) {
       httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
       return;

diff --git a/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java b/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java
index 0f3adb127b162e94e4dc9745285e85b6acc13f85..256a806442962d29d5fd4081c9713953678d6498 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java
@@ -42,28 +42,44 @@ public class SecurityServletFilterTest {
   FilterChain chain = mock(FilterChain.class);
 
   @Test
-  public void accept_GET_method() throws IOException, ServletException {
-    HttpServletRequest request = newRequest("GET");
-    underTest.doFilter(request, response, chain);
-    verify(response, never()).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
-    verify(chain).doFilter(request, response);
+  public void allow_GET_method() throws IOException, ServletException {
+    assertThatMethodIsAllowed("GET");
   }
 
   @Test
-  public void deny_HEAD_method() throws IOException, ServletException {
-    underTest.doFilter(newRequest("HEAD"), response, chain);
-    verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+  public void allow_HEAD_method() throws IOException, ServletException {
+    assertThatMethodIsAllowed("HEAD");
+  }
+
+  @Test
+  public void allow_PUT_method() throws IOException, ServletException {
+    assertThatMethodIsAllowed("PUT");
+  }
+
+  @Test
+  public void allow_POST_method() throws IOException, ServletException {
+    assertThatMethodIsAllowed("POST");
+  }
+
+  private void assertThatMethodIsAllowed(String httpMethod) throws IOException, ServletException {
+    HttpServletRequest request = newRequest(httpMethod);
+    underTest.doFilter(request, response, chain);
+    verify(response, never()).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    verify(chain).doFilter(request, response);
   }
 
   @Test
   public void deny_OPTIONS_method() throws IOException, ServletException {
-    underTest.doFilter(newRequest("OPTIONS"), response, chain);
-    verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    assertThatMethodIsDenied("OPTIONS");
   }
 
   @Test
   public void deny_TRACE_method() throws IOException, ServletException {
-    underTest.doFilter(newRequest("TRACE"), response, chain);
+    assertThatMethodIsDenied("TRACE");
+  }
+
+  private void assertThatMethodIsDenied(String httpMethod) throws IOException, ServletException {
+    underTest.doFilter(newRequest(httpMethod), response, chain);
     verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
   }