Merge branch '6.0.x' into 6.1.x

Closes gh-13759

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java

@@ -52,7 +52,7 @@ public void afterPropertiesSet() {
 	@Override
 	public void commence(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException authException) throws IOException {
-		response.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\"");
+		response.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\"");
 		response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
 	}
 

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java

@@ -16,8 +16,12 @@
 
 package org.springframework.security.web.authentication.www;
 
+import java.io.IOException;
+import java.util.List;
+
 import org.junit.jupiter.api.Test;
 
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -61,4 +65,19 @@ public void testNormalOperation() throws Exception {
 		assertThat(response.getHeader("WWW-Authenticate")).isEqualTo("Basic realm=\"hello\"");
 	}
 
+	// gh-13737
+	@Test
+	void commenceWhenResponseHasHeaderThenOverride() throws IOException {
+		BasicAuthenticationEntryPoint ep = new BasicAuthenticationEntryPoint();
+		ep.setRealmName("hello");
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setRequestURI("/some_path");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"test\"");
+		ep.commence(request, response, new DisabledException("Disabled"));
+		List<String> headers = response.getHeaders("WWW-Authenticate");
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(0)).isEqualTo("Basic realm=\"hello\"");
+	}
+
 }