diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java index e4ca009c9f6..29658c8f56a 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java @@ -52,7 +52,7 @@ public void afterPropertiesSet() { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { - response.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\""); + response.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\""); response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase()); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java index 0ada20dc539..27ace4ca0cd 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java @@ -16,8 +16,12 @@ package org.springframework.security.web.authentication.www; +import java.io.IOException; +import java.util.List; + import org.junit.jupiter.api.Test; +import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; @@ -61,4 +65,19 @@ public void testNormalOperation() throws Exception { assertThat(response.getHeader("WWW-Authenticate")).isEqualTo("Basic realm=\"hello\""); } + // gh-13737 + @Test + void commenceWhenResponseHasHeaderThenOverride() throws IOException { + BasicAuthenticationEntryPoint ep = new BasicAuthenticationEntryPoint(); + ep.setRealmName("hello"); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRequestURI("/some_path"); + MockHttpServletResponse response = new MockHttpServletResponse(); + response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"test\""); + ep.commence(request, response, new DisabledException("Disabled")); + List headers = response.getHeaders("WWW-Authenticate"); + assertThat(headers).hasSize(1); + assertThat(headers.get(0)).isEqualTo("Basic realm=\"hello\""); + } + }