HttpHeaders#writableHttpHeaders not effective with read-only delegate

[ilgrosso]

As described in spring-cloud/spring-cloud-gateway#3570 (comment) starting with Spring Boot 3.3.5, we are observing that HttpHeaders#writableHttpHeaders is failing to return a writable instance in case the given headers argument is an instance of Spring Security's org.springframework.security.web.server.firewall.StrictServerWebExchangeFirewall.StrictFirewallServerWebExchange.StrictFirewallHttpRequest.StrictFirewallHttpHeaders

This seems to be related to spring-projects/spring-security@0e257b5

I think it would be enough to cherry-pick ef77b40 to the branch 6.1.x

[jhoeller]

I suppose this duplicates #33789?

[bclozel]

Yes it is, closing as a duplicate. Please let us know if SNAPSHOTs don't cover this use case.

[ilgrosso]

@jhoeller @bclozel I have just tested 6.1.15-SNAPSHOT and I can confirm that #33789 is fixing what I report above, so I think it is correct to mark this issue as duplicate.

One question though: why making a different fix in a06bbcc instead of cherry picking ef77b40 ?

[bclozel]

ef77b40 is about case sensitive headers, whereas a06bbcc is about unwrapping read-only HttpHeaders instance. Rob accurately reported the problem in #33789 that reproduces the double-wrapping of HttpHeaders (once with read-only, and another time with security's headers) that was creating issues.