Restrict EndpointRequest links to the specified HTTP method

EndpointRequest.toAnyEndpoint().withHttpMethod(...) restricted
endpoint paths but still allowed any HTTP method for the links
path.

Restrict the links path using the configured HttpMethod in both
servlet and reactive matchers.

See gh-49885

Signed-off-by: Lee JiWon <dlwldnjs1009@gmail.com>

Author: dlwldnjs1009

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequest.java

@@ -120,7 +120,7 @@ public static EndpointServerWebExchangeMatcher to(String... endpoints) {
 	 * @return the configured {@link ServerWebExchangeMatcher}
 	 */
 	public static LinksServerWebExchangeMatcher toLinks() {
-		return new LinksServerWebExchangeMatcher();
+		return new LinksServerWebExchangeMatcher(null);
 	}
 
 	/**
@@ -344,7 +344,7 @@ protected ServerWebExchangeMatcher createDelegate(PathMappedEndpoints endpoints)
 			List<ServerWebExchangeMatcher> delegateMatchers = getDelegateMatchers(paths, this.httpMethod);
 			String linksPath = getLinksPath(endpoints.getBasePath());
 			if (this.includeLinks && linksPath != null) {
-				delegateMatchers.add(new LinksServerWebExchangeMatcher());
+				delegateMatchers.add(new LinksServerWebExchangeMatcher(this.httpMethod));
 			}
 			if (delegateMatchers.isEmpty()) {
 				return EMPTY_MATCHER;
@@ -373,18 +373,21 @@ public String toString() {
 	 */
 	public static final class LinksServerWebExchangeMatcher extends AbstractWebExchangeMatcher<WebEndpointProperties> {
 
-		private LinksServerWebExchangeMatcher() {
+		private final @Nullable HttpMethod httpMethod;
+
+		private LinksServerWebExchangeMatcher(@Nullable HttpMethod httpMethod) {
 			super(WebEndpointProperties.class);
+			this.httpMethod = httpMethod;
 		}
 
 		@Override
 		protected ServerWebExchangeMatcher createDelegate(WebEndpointProperties properties) {
 			String linksPath = getLinksPath(properties.getBasePath());
 			if (linksPath != null) {
 				List<ServerWebExchangeMatcher> linksMatchers = new ArrayList<>();
-				linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath));
+				linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath, this.httpMethod));
 				if (!linksPath.endsWith("/")) {
-					linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath + "/"));
+					linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath + "/", this.httpMethod));
 				}
 				return new OrServerWebExchangeMatcher(linksMatchers);
 			}

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/EndpointRequest.java

@@ -224,11 +224,11 @@ protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory r
 		}
 
 		protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMatcherFactory,
-				RequestMatcherProvider matcherProvider, String linksPath) {
+				RequestMatcherProvider matcherProvider, @Nullable HttpMethod httpMethod, String linksPath) {
 			List<RequestMatcher> linksMatchers = new ArrayList<>();
-			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath));
+			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath));
 			if (!linksPath.endsWith("/")) {
-				linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath, "/"));
+				linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath, "/"));
 			}
 			return linksMatchers;
 		}
@@ -357,7 +357,8 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 			String basePath = endpoints.getBasePath();
 			String linksPath = getLinksPath(context, basePath);
 			if (this.includeLinks && linksPath != null) {
-				delegateMatchers.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, linksPath));
+				delegateMatchers
+					.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, this.httpMethod, linksPath));
 			}
 			if (delegateMatchers.isEmpty()) {
 				return EMPTY_MATCHER;
@@ -393,7 +394,7 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 			String linksPath = getLinksPath(context, properties.getBasePath());
 			if (linksPath != null) {
 				return new OrRequestMatcher(
-						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), linksPath));
+						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), null, linksPath));
 			}
 			return EMPTY_MATCHER;
 		}

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequestTests.java

@@ -75,6 +75,10 @@ void toAnyEndpointWithHttpMethodShouldRespectRequestMethod() {
 		ServerWebExchangeMatcher matcher = EndpointRequest.toAnyEndpoint().withHttpMethod(HttpMethod.POST);
 		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/foo");
 		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/foo");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/");
 	}
 
 	@Test

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/EndpointRequestTests.java

@@ -74,6 +74,10 @@ void toAnyEndpointWithHttpMethodShouldRespectRequestMethod() {
 			.withHttpMethod(HttpMethod.POST);
 		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/foo");
 		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/foo");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/");
 	}
 
 	@Test