SEC-1540: Fix to add HTTP-method specific support for namespace requires-channel attribute.

config/src/main/java/org/springframework/security/config/http/MatcherType.java

@@ -35,7 +35,7 @@ public enum MatcherType {
     }
 
     BeanDefinition createMatcher(String path, String method) {
-        if ("/**".equals(path)) {
+        if ("/**".equals(path) && method == null) {
             return new RootBeanDefinition(AnyRequestMatcher.class);
         }
 

config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy

@@ -170,6 +170,40 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
         attrs.contains(new SecurityConfig("ROLE_B"))
     }
 
+   def httpMethodMatchIsSupportedForRequiresChannel() {
+       httpAutoConfig {
+           'intercept-url'(pattern: '/anyurl')
+           'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
+       }
+       createAppContext()
+
+       def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
+       def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
+       def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
+
+       expect:
+       attrs.size() == 1
+       attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
+       attrsPost == null
+   }
+
+   def httpMethodMatchIsSupportedForRequiresChannelAny() {
+       httpAutoConfig {
+           'intercept-url'(pattern: '/**')
+           'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
+       }
+       createAppContext()
+
+       def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
+       def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
+       def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
+
+       expect:
+       attrs.size() == 1
+       attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
+       attrsPost == null
+   }
+
     def oncePerRequestAttributeIsSupported() {
         xml.http('once-per-request': 'false') {
             'http-basic'()