Make basic authentication scheme case-insensitive

Fixes: gh-7163

Author: eleftherias

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java

@@ -30,6 +30,7 @@
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Converts from a HttpServletRequest to
@@ -83,7 +84,7 @@ public UsernamePasswordAuthenticationToken convert(HttpServletRequest request) {
 		}
 
 		header = header.trim();
-		if (!header.startsWith(AUTHENTICATION_SCHEME_BASIC) && !header.startsWith(AUTHENTICATION_SCHEME_BASIC.toLowerCase())) {
+		if (!StringUtils.startsWithIgnoreCase(header, AUTHENTICATION_SCHEME_BASIC)) {
 			return null;
 		}
 

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java

@@ -61,6 +61,18 @@ public void testNormalOperation() throws Exception {
 		assertThat(authentication.getName()).isEqualTo("rod");
 	}
 
+	@Test
+	public void requestWhenAuthorizationSchemeInMixedCaseThenAuthenticates() {
+		String token = "rod:koala";
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addHeader("Authorization", "BaSiC " + new String(Base64.encodeBase64(token.getBytes())));
+		UsernamePasswordAuthenticationToken authentication = converter.convert(request);
+
+		verify(authenticationDetailsSource).buildDetails(any());
+		assertThat(authentication).isNotNull();
+		assertThat(authentication.getName()).isEqualTo("rod");
+	}
+
 	@Test
 	public void testWhenUnsupportedAuthorizationHeaderThenIgnored() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest();

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java

@@ -176,6 +176,24 @@ public void doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks() throws Exc
 				.isEqualTo("rod");
 	}
 
+	@Test
+	public void doFilterWhenSchemeMixedCaseThenCaseInsensitiveMatchWorks() throws Exception {
+		String token = "rod:koala";
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addHeader("Authorization",
+				"BaSiC " + new String(Base64.encodeBase64(token.getBytes())));
+		request.setServletPath("/some_file.html");
+
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+		FilterChain chain = mock(FilterChain.class);
+		filter.doFilter(request, new MockHttpServletResponse(), chain);
+
+		verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
+		assertThat(SecurityContextHolder.getContext().getAuthentication().getName())
+				.isEqualTo("rod");
+	}
+
 	@Test
 	public void testOtherAuthorizationSchemeIsIgnored() throws Exception {