Restrict allowed HTTP methods in HiddenHttpMethodFilter [SPR-16836]

[spring-projects-issues]

Brian Clozel opened SPR-16836 and commented

Currently the HiddenHttpMethodFilter allows requests to change the HTTP method to any method. Both Servlet and Reactive variants should restrict the allowed HTTP methods to : PUT, PATCH and DELETE.

---

Backported to: 4.3.18

[spring-projects-issues]

Cory Hahlbeck commented

Hey, is there any reason GET is not in the list of allowed methods? We used GET as a method parameter in a POST whenever requests would have exceeded the URL length limit, so this change breaks some functionality. It seems like it was decided to not include GET since there is no need to simulate it from a browser, but some of the other use cases of this class might be being overlooked.

[spring-projects-issues]

Brian Clozel commented

Hi Cory Hahlbeck,

That's right - the main goal of this filter is to work around the inability of browsers to send HTTP forms with specific HTTP methods.

I'm not really in favor of adding the possibility for GET methods:

• PUT, PATCH, DELETE methods can semantically change state of a resource on the server side, GET is not supposed to; I find rather strange to turn a side-effect method into an idempotent one
• the use case you're describing is about the inability to update the server application to accept POST requests where it should be (the fact that the client is trying to send too much data for a GET request is a smell)

The implementation of this filter is really straightforward and your use case seems to be more about a workaround to a specific issue than a general use case for applications. In this case, I think your best bet is to create your own filter that will suit your needs.

Thanks for your feedback and don't hesitate to add more comments if you've got other use cases in mind for this.