HttpHeaders no longer a MultiValueMap

Closes gh-17060

Author: rwinch

config/src/test/java/org/springframework/security/config/web/server/CorsSpecTests.java

@@ -18,8 +18,6 @@
 
 import java.util.Arrays;
 import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 import org.junit.jupiter.api.BeforeEach;
@@ -114,12 +112,13 @@ private void assertHeaders() {
 				.exchange()
 				.returnResult(String.class);
 		// @formatter:on
-		Map<String, List<String>> responseHeaders = response.getResponseHeaders();
+		HttpHeaders responseHeaders = response.getResponseHeaders();
 		if (!this.expectedHeaders.isEmpty()) {
-			assertThat(responseHeaders).describedAs(response.toString()).containsAllEntriesOf(this.expectedHeaders);
+			this.expectedHeaders.forEach(
+					(headerName, headerValues) -> assertThat(responseHeaders.get(headerName)).isEqualTo(headerValues));
 		}
 		if (!this.headerNamesNotPresent.isEmpty()) {
-			assertThat(responseHeaders.keySet()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
+			assertThat(responseHeaders.headerNames()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
 		}
 	}
 

config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java

@@ -18,8 +18,6 @@
 
 import java.time.Duration;
 import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 import org.junit.jupiter.api.BeforeEach;
@@ -80,14 +78,14 @@ public void setup() {
 
 	@Test
 	public void headersWhenDisableThenNoSecurityHeaders() {
-		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
+		new HashSet<>(this.expectedHeaders.headerNames()).forEach(this::expectHeaderNamesNotPresent);
 		this.http.headers().disable();
 		assertHeaders();
 	}
 
 	@Test
 	public void headersWhenDisableInLambdaThenNoSecurityHeaders() {
-		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
+		new HashSet<>(this.expectedHeaders.headerNames()).forEach(this::expectHeaderNamesNotPresent);
 		this.http.headers((headers) -> headers.disable());
 		assertHeaders();
 	}
@@ -515,12 +513,13 @@ private void assertHeaders() {
 			.uri("https://example.com/")
 			.exchange()
 			.returnResult(String.class);
-		Map<String, List<String>> responseHeaders = response.getResponseHeaders();
+		HttpHeaders responseHeaders = response.getResponseHeaders();
 		if (!this.expectedHeaders.isEmpty()) {
-			assertThat(responseHeaders).describedAs(response.toString()).containsAllEntriesOf(this.expectedHeaders);
+			this.expectedHeaders.forEach(
+					(headerName, headerValues) -> assertThat(responseHeaders.get(headerName)).isEqualTo(headerValues));
 		}
 		if (!this.headerNamesNotPresent.isEmpty()) {
-			assertThat(responseHeaders.keySet()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
+			assertThat(responseHeaders.headerNames()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
 		}
 	}
 

config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java

@@ -945,7 +945,7 @@ private String session(RecordedRequest request) {
 		private MockResponse toMockResponse(FluxExchangeResult<String> result) {
 			MockResponse response = new MockResponse();
 			response.setResponseCode(result.getStatus().value());
-			for (String name : result.getResponseHeaders().keySet()) {
+			for (String name : result.getResponseHeaders().headerNames()) {
 				response.addHeader(name, result.getResponseHeaders().getFirst(name));
 			}
 			String body = result.getResponseBody().blockFirst();

config/src/test/kotlin/org/springframework/security/config/web/server/ServerHttpsRedirectDslTests.kt

@@ -127,7 +127,7 @@ class ServerHttpsRedirectDslTests {
             return http {
                 redirectToHttps {
                     httpsRedirectWhen {
-                        it.request.headers.containsKey("X-Requires-Https")
+                        it.request.headers.headerNames().contains("X-Requires-Https")
                     }
                 }
             }
@@ -165,7 +165,7 @@ class ServerHttpsRedirectDslTests {
                 redirectToHttps {
                     httpsRedirectWhen(PathPatternParserServerWebExchangeMatcher("/secure"))
                     httpsRedirectWhen {
-                        it.request.headers.containsKey("X-Requires-Https")
+                        it.request.headers.headerNames().contains("X-Requires-Https")
                     }
                 }
             }

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/BearerTokenServerAuthenticationEntryPointTests.java

@@ -91,7 +91,7 @@ public void commenceWhenBearerTokenThenErrorInformation() {
 	@Test
 	public void commenceWhenNoSubscriberThenNothingHappens() {
 		this.entryPoint.commence(this.exchange, new BadCredentialsException(""));
-		assertThat(getResponse().getHeaders()).isEmpty();
+		assertThat(getResponse().getHeaders().headerNames()).isEmpty();
 		assertThat(getResponse().getStatusCode()).isNull();
 	}
 

web/src/main/java/org/springframework/security/web/FilterInvocation.java

@@ -267,7 +267,7 @@ public Enumeration<String> getHeaders(String name) {
 
 		@Override
 		public Enumeration<String> getHeaderNames() {
-			return Collections.enumeration(this.headers.keySet());
+			return Collections.enumeration(this.headers.headerNames());
 		}
 
 		@Override

web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java

@@ -135,8 +135,8 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
 	private static final Pattern ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN = Pattern
 		.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
 
-	private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (
-			s) -> ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
+	private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (s) -> s == null
+			|| ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
 
 	private static final Pattern HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[[^\\p{IsControl}]||\\t]]*");
 
@@ -198,13 +198,11 @@ public Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange)
 			exchange.getResponse().beforeCommit(() -> Mono.fromRunnable(() -> {
 				ServerHttpResponse response = exchange.getResponse();
 				HttpHeaders headers = response.getHeaders();
-				for (Map.Entry<String, List<String>> header : headers.entrySet()) {
-					String headerName = header.getKey();
-					List<String> headerValues = header.getValue();
+				headers.forEach((headerName, headerValues) -> {
 					for (String headerValue : headerValues) {
 						validateCrlf(headerName, headerValue);
 					}
-				}
+				});
 			}));
 			return new StrictFirewallServerWebExchange(exchange);
 		});
@@ -767,23 +765,21 @@ public String getFirst(String headerName) {
 				}
 
 				@Override
-				public List<String> get(Object key) {
-					if (key instanceof String headerName) {
-						validateAllowedHeaderName(headerName);
-					}
-					List<String> headerValues = super.get(key);
+				public List<String> get(String headerName) {
+					validateAllowedHeaderName(headerName);
+					List<String> headerValues = super.get(headerName);
 					if (headerValues == null) {
 						return headerValues;
 					}
 					for (String headerValue : headerValues) {
-						validateAllowedHeaderValue(key, headerValue);
+						validateAllowedHeaderValue(headerName, headerValue);
 					}
 					return headerValues;
 				}
 
 				@Override
-				public Set<String> keySet() {
-					Set<String> headerNames = super.keySet();
+				public Set<String> headerNames() {
+					Set<String> headerNames = super.headerNames();
 					for (String headerName : headerNames) {
 						validateAllowedHeaderName(headerName);
 					}

web/src/main/java/org/springframework/security/web/server/header/StaticServerHttpHeadersWriter.java

@@ -43,8 +43,8 @@ public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
 		// Note: We need to ensure that the following algorithm compares headers
 		// case insensitively, which should be true of headers.containsKey().
 		boolean containsNoHeadersToAdd = true;
-		for (String headerName : this.headersToAdd.keySet()) {
-			if (headers.containsKey(headerName)) {
+		for (String headerName : this.headersToAdd.headerNames()) {
+			if (headers.containsHeader(headerName)) {
 				containsNoHeadersToAdd = false;
 				break;
 			}

web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java

@@ -444,7 +444,7 @@ void getFirewalledExchangeGetHeaderNamesWhenControlCharacterInHeaderNameThenExce
 		ServerWebExchange exchange = getFirewalledExchange();
 		HttpHeaders headers = exchange.getRequest().getHeaders();
 		assertThatExceptionOfType(ServerExchangeRejectedException.class)
-			.isThrownBy(() -> headers.keySet().iterator().next());
+			.isThrownBy(() -> headers.headerNames().iterator().next());
 	}
 
 	@Test

web/src/test/java/org/springframework/security/web/server/header/CacheControlServerHttpHeadersWriterTests.java

@@ -42,7 +42,7 @@ public class CacheControlServerHttpHeadersWriterTests {
 	@Test
 	public void writeHeadersWhenCacheHeadersThenWritesAllCacheControl() {
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(3);
+		assertThat(this.headers.headerNames()).hasSize(3);
 		assertThat(this.headers.get(HttpHeaders.CACHE_CONTROL))
 			.containsOnly(CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
 		assertThat(this.headers.get(HttpHeaders.EXPIRES))
@@ -63,7 +63,7 @@ public void writeHeadersWhenPragmaThenNoCacheControlHeaders() {
 		String pragma = "1";
 		this.headers.set(HttpHeaders.PRAGMA, pragma);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(HttpHeaders.PRAGMA)).containsOnly(pragma);
 	}
 
@@ -72,7 +72,7 @@ public void writeHeadersWhenExpiresThenNoCacheControlHeaders() {
 		String expires = "1";
 		this.headers.set(HttpHeaders.EXPIRES, expires);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(HttpHeaders.EXPIRES)).containsOnly(expires);
 	}
 
@@ -81,7 +81,7 @@ public void writeHeadersWhenExpiresThenNoCacheControlHeaders() {
 	public void writeHeadersWhenNotModifiedThenNoCacheControlHeaders() {
 		this.exchange.getResponse().setStatusCode(HttpStatus.NOT_MODIFIED);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).isEmpty();
+		assertThat(this.headers.headerNames()).isEmpty();
 	}
 
 }