The namespace improperly handles the method attribute when populating ChannelProcessingFilter.securityMetadataSource. The problems differ between 3.0.x and 3.1.x. For 3.0.x the issue is that the method is ignored. The issue for 3.1.x is that if the path is /** the method is ignored. I have attached a patch with tests and a fix for both master and 3.0.x. Note that I included a test for 3.1.x that actually works but was broke in 3.0.x in order to ensure it continues to work. While it might be wise to refactor to reuse the logic in creating the securityMetadataSource, I did not do so to limit the scope of this change.
PS: I did not look at 2.x to see if it needed corrections.