Spring Security AuthorizeRequestsDsl doesn't allow HTTP Method to be specified

Summary

AbstractRequestMatcherRegistry provides the mvcMatchers(HttpMethod method, String... mvcPatterns) function to allow creation of an MvcMatcher for a specific HTTP verb, but there is no corresponding authorize() function in AuthorizeRequestsDsl.

Actual Behavior

If we want to create an MvcMatcher that matches an HTTP Verb for use with the DSL, we have to construct the matcher manually using a similar method to AbstractRequestMatcherRegistry's protected createMvcMatchers() method, or otherwise use the non-DSL authorizeRequests()

Expected Behavior

Should be able to specify the HTTP method using the authorize() function:

authorizeRequests {
    authorize(POST, "/admin/**", hasRole("ADMIN"))
}

Version

5.3.0.RELEASE

Comment From: eleftherias

Thanks for the report @adamu. I agree that with your suggestion of being able to specify the HTTP method in authorize. We would need to add 2 additional functions authorize(method: HttpMethod, pattern: String, access: String) and authorize(method: HttpMethod, pattern: String, servletPath: String, access: String). Would you be interested in submitting a PR?

Comment From: adamu

Hi @eleftherias. To be honest I'm not sure how a good implementation would look. It looks like re-using createMvcMatchers() would be a good idea, but that method is protected, so it may be necessary to duplicate it?

Comment From: eleftherias

@adamu I can see us reusing ExpressionUrlAuthorizationConfigurer.mvcMatchers.

With the current setup we have

val mvcMatchersAuthorizeUrl = requests.mvcMatchers(rule.pattern)

We could update this so that if a user has specified the HTTP method, then we include it in the MVC matcher

requests.mvcMatchers(rule.httpMethod, rule.pattern)

This would also involve updating PatternAuthorizationRule to include an HttpMethod field.