From 96d1763fc49e8121e15c5d595e84f8599cc6d2bf Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Thu, 31 Aug 2023 10:07:10 -0300 Subject: [PATCH] WWW-Authenticate header should not be added twice Closes gh-13737 --- .../www/BasicAuthenticationEntryPoint.java | 2 +- .../BasicAuthenticationEntryPointTests.java | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java index e67ecba1993..c780aeb8d1c 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java @@ -52,7 +52,7 @@ public void afterPropertiesSet() { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { - response.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\""); + response.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\""); response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase()); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java index 0ada20dc539..27ace4ca0cd 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java @@ -16,8 +16,12 @@ package org.springframework.security.web.authentication.www; +import java.io.IOException; +import java.util.List; + import org.junit.jupiter.api.Test; +import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; @@ -61,4 +65,19 @@ public void testNormalOperation() throws Exception { assertThat(response.getHeader("WWW-Authenticate")).isEqualTo("Basic realm=\"hello\""); } + // gh-13737 + @Test + void commenceWhenResponseHasHeaderThenOverride() throws IOException { + BasicAuthenticationEntryPoint ep = new BasicAuthenticationEntryPoint(); + ep.setRealmName("hello"); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRequestURI("/some_path"); + MockHttpServletResponse response = new MockHttpServletResponse(); + response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"test\""); + ep.commence(request, response, new DisabledException("Disabled")); + List headers = response.getHeaders("WWW-Authenticate"); + assertThat(headers).hasSize(1); + assertThat(headers.get(0)).isEqualTo("Basic realm=\"hello\""); + } + }