From 87c2f6036798372d0e965e4a456d774cce61df86 Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Wed, 30 Sep 2015 10:19:52 +0200 Subject: [PATCH] SONAR-6881 support HEAD HTTP method --- .../platform/SecurityServletFilter.java | 4 +- .../platform/SecurityServletFilterTest.java | 38 +++++++++++++------ 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java b/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java index 702a6baa2b2..98d0848e0d0 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java +++ b/server/sonar-server/src/main/java/org/sonar/server/platform/SecurityServletFilter.java @@ -37,7 +37,7 @@ import javax.servlet.http.HttpServletResponse; */ public class SecurityServletFilter implements Filter { - private static final Set ALLOWED_HTTP_METHODS = ImmutableSet.of("DELETE", "GET", "POST", "PUT"); + private static final Set ALLOWED_HTTP_METHODS = ImmutableSet.of("DELETE", "GET", "HEAD", "POST", "PUT"); @Override public void init(FilterConfig filterConfig) throws ServletException { @@ -50,7 +50,7 @@ public class SecurityServletFilter implements Filter { } private static void doHttpFilter(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain) throws IOException, ServletException { - // SONAR-6881 Disable OPTIONS, HEAD and TRACE methods + // SONAR-6881 Disable OPTIONS and TRACE methods if (!ALLOWED_HTTP_METHODS.contains(httpRequest.getMethod())) { httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); return; diff --git a/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java b/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java index 0f3adb127b1..256a8064429 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/platform/SecurityServletFilterTest.java @@ -42,28 +42,44 @@ public class SecurityServletFilterTest { FilterChain chain = mock(FilterChain.class); @Test - public void accept_GET_method() throws IOException, ServletException { - HttpServletRequest request = newRequest("GET"); - underTest.doFilter(request, response, chain); - verify(response, never()).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); - verify(chain).doFilter(request, response); + public void allow_GET_method() throws IOException, ServletException { + assertThatMethodIsAllowed("GET"); } @Test - public void deny_HEAD_method() throws IOException, ServletException { - underTest.doFilter(newRequest("HEAD"), response, chain); - verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + public void allow_HEAD_method() throws IOException, ServletException { + assertThatMethodIsAllowed("HEAD"); + } + + @Test + public void allow_PUT_method() throws IOException, ServletException { + assertThatMethodIsAllowed("PUT"); + } + + @Test + public void allow_POST_method() throws IOException, ServletException { + assertThatMethodIsAllowed("POST"); + } + + private void assertThatMethodIsAllowed(String httpMethod) throws IOException, ServletException { + HttpServletRequest request = newRequest(httpMethod); + underTest.doFilter(request, response, chain); + verify(response, never()).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + verify(chain).doFilter(request, response); } @Test public void deny_OPTIONS_method() throws IOException, ServletException { - underTest.doFilter(newRequest("OPTIONS"), response, chain); - verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + assertThatMethodIsDenied("OPTIONS"); } @Test public void deny_TRACE_method() throws IOException, ServletException { - underTest.doFilter(newRequest("TRACE"), response, chain); + assertThatMethodIsDenied("TRACE"); + } + + private void assertThatMethodIsDenied(String httpMethod) throws IOException, ServletException { + underTest.doFilter(newRequest(httpMethod), response, chain); verify(response).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); } -- 2.39.5