From fb9d9fda72ce26885c470b6851d162eafbee79ff Mon Sep 17 00:00:00 2001
From: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
Date: Sun, 28 Dec 2025 00:05:11 +0700
Subject: [PATCH] Verify POST endpoints when CSRF is disabled

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
---
 .../annotation/web/HttpSecurityDslTests.kt    | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
index 5cfaadee432..df55bb5bd69 100644
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
@@ -29,6 +29,7 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpHeaders
+import org.springframework.http.HttpMethod
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.ProviderManager
 import org.springframework.security.authentication.TestingAuthenticationProvider
@@ -55,6 +56,8 @@ import org.springframework.test.web.servlet.MockMvc
 import org.springframework.test.web.servlet.get
 import org.springframework.test.web.servlet.post
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.config.annotation.EnableWebMvc
 
 /**
@@ -657,4 +660,57 @@ class HttpSecurityDslTests {
         }
     }
 
+    @Test
+    fun `HTTP security when disabled Csrf Bean`() {
+        this.spring.register(DisabledCsrfBeanConfig::class.java, BasicController::class.java).autowire()
+
+        this.mockMvc.post("/test1")
+            .andExpect {
+                status { isOk() }
+            }
+
+        this.mockMvc.post("/")
+            .andExpect {
+                status { isForbidden() }
+            }
+    }
+
+    @RestController
+    internal class BasicController {
+
+        @PostMapping("/")
+        fun post():String {
+            return "ok"
+        }
+
+        @PostMapping("/test1")
+        fun test1():String {
+            return "ok"
+        }
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    open class DisabledCsrfBeanConfig {
+
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http {
+                authorizeHttpRequests {
+                    authorize(HttpMethod.POST, "/test1", permitAll)
+                    authorize(anyRequest, authenticated)
+                }
+            }
+            return http.build()
+        }
+
+        @Bean
+        open fun headersDsl(): HttpSecurityDsl.() -> Unit {
+            return {
+                csrf {
+                    disable()
+                }
+            }
+        }
+    }
 }