I expected the matcher to not trigger NPE's (resulting in HTTP 500's) but rather choosing to match or not for unknown methods.
This line triggers the NPE as getMethod returns null for any unmappable method string. https://github.com/spring-projects/spring-security/blob/06fdb83fb89840c511b2bc46f72b7c49229c9dab/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java#L190
Comment From: eleftherias
Thanks for the report @Robbert1. Would you be interested in submitting a PR?
Comment From: parikshitdutta
@eleftherias @rwinch how is it for contribution? I can look into it.
Comment From: eleftherias
Thanks for the offer @parikshitdutta. The issue is yours!
Comment From: parikshitdutta
Hi @eleftherias @rwinch, Please take a look at PR #8452, or Please assign it to respective reviewer.
Thank you.
Comment From: rwinch
Closed in favor of gh-8452