SwitchUserFilter Defaults to POST

Fixes gh-4183

Author: jzheaux

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java

@@ -563,6 +563,6 @@ public void setSwitchAuthorityRole(String switchAuthorityRole) {
 	}
 
 	private static RequestMatcher createMatcher(String pattern) {
-		return new AntPathRequestMatcher(pattern, null, true, new UrlPathHelper());
+		return new AntPathRequestMatcher(pattern, "POST", true, new UrlPathHelper());
 	}
 }

web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java

@@ -16,11 +16,16 @@
 
 package org.springframework.security.web.authentication.switchuser;
 
-import static org.assertj.core.api.Assertions.*;
-import static org.mockito.Mockito.*;
+import java.util.ArrayList;
+import java.util.List;
+import javax.servlet.FilterChain;
 
-import org.junit.*;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
 import org.junit.rules.ExpectedException;
+
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.AccountExpiredException;
@@ -42,8 +47,10 @@
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
-import javax.servlet.FilterChain;
-import java.util.*;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
 
 /**
  * Tests
@@ -75,6 +82,7 @@ private MockHttpServletRequest createMockSwitchRequest() {
 		request.setScheme("http");
 		request.setServerName("localhost");
 		request.setRequestURI("/login/impersonate");
+		request.setMethod("POST");
 
 		return request;
 	}
@@ -125,6 +133,20 @@ public void requiresExitUserWhenEndsWithThenDoesNotMatch() {
 		assertThat(filter.requiresExitUser(request)).isFalse();
 	}
 
+	@Test
+	// gh-4183
+	public void requiresExitUserWhenGetThenDoesNotMatch() {
+		SwitchUserFilter filter = new SwitchUserFilter();
+
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setScheme("http");
+		request.setServerName("localhost");
+		request.setRequestURI("/login/impersonate");
+		request.setMethod("GET");
+
+		assertThat(filter.requiresExitUser(request)).isFalse();
+	}
+
 	@Test
 	public void requiresExitUserWhenMatcherThenWorks() {
 		SwitchUserFilter filter = new SwitchUserFilter();
@@ -159,6 +181,20 @@ public void requiresSwitchUserWhenEndsWithThenDoesNotMatch() {
 		assertThat(filter.requiresSwitchUser(request)).isFalse();
 	}
 
+	@Test
+	// gh-4183
+	public void requiresSwitchUserWhenGetThenDoesNotMatch() {
+		SwitchUserFilter filter = new SwitchUserFilter();
+
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setScheme("http");
+		request.setServerName("localhost");
+		request.setRequestURI("/login/impersonate");
+		request.setMethod("GET");
+
+		assertThat(filter.requiresSwitchUser(request)).isFalse();
+	}
+
 	@Test
 	public void requiresSwitchUserWhenMatcherThenWorks() {
 		SwitchUserFilter filter = new SwitchUserFilter();