SEC-2330: CacheControlHeadersWriter use a single header

config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy

@@ -77,7 +77,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
             responseHeaders == ['X-Content-Type-Options':'nosniff',
                          'X-Frame-Options':'DENY',
                          'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
-                         'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                         'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                          'Pragma':'no-cache',
                          'X-XSS-Protection' : '1; mode=block']
     }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy

@@ -48,7 +48,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
             responseHeaders == ['X-Content-Type-Options':'nosniff',
                          'X-Frame-Options':'DENY',
                          'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
-                         'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                         'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                          'Pragma':'no-cache',
                          'X-XSS-Protection' : '1; mode=block']
     }
@@ -127,7 +127,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
         when:
             springSecurityFilterChain.doFilter(request,response,chain)
         then:
-            responseHeaders == ['Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+            responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                          'Pragma':'no-cache']
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy

@@ -47,7 +47,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
             responseHeaders == ['X-Content-Type-Options':'nosniff',
                 'X-Frame-Options':'DENY',
                 'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
-                'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                 'Pragma':'no-cache',
                 'X-XSS-Protection' : '1; mode=block']
     }
@@ -68,7 +68,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
         when:
             springSecurityFilterChain.doFilter(request,response,chain)
         then:
-            responseHeaders == ['Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+            responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                 'Pragma':'no-cache']
     }
 

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -53,7 +53,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
             assertHeaders(response, ['X-Content-Type-Options':'nosniff',
                                      'X-Frame-Options':'DENY',
                                      'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
-                                     'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                                     'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                                      'Pragma':'no-cache',
                                      'X-XSS-Protection' : '1; mode=block'])
     }
@@ -332,7 +332,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         when:
             springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
         then:
-            assertHeaders(response, ['Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate','Pragma':'no-cache'])
+            assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate','Pragma':'no-cache'])
     }
 
     def 'http headers hsts'() {
@@ -388,7 +388,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
     def assertHeaders(MockHttpServletResponse response, Map<String,String> expected) {
         assert response.headerNames == expected.keySet()
         expected.each { headerName, value ->
-            assert response.getHeaderValues(headerName) == value.split(',')
+            assert response.getHeaderValues(headerName) == [value]
         }
     }
 }

web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java

@@ -42,7 +42,7 @@ public final class CacheControlHeadersWriter extends StaticHeadersWriter {
 
     private static List<Header> createHeaders() {
         List<Header> headers = new ArrayList<Header>(2);
-        headers.add(new Header("Cache-Control","no-cache","no-store","max-age=0","must-revalidate"));
+        headers.add(new Header("Cache-Control","no-cache, no-store, max-age=0, must-revalidate"));
         headers.add(new Header("Pragma","no-cache"));
         return headers;
     }

web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java

@@ -48,7 +48,7 @@ public class CacheControlHeadersWriterTests {
         writer.writeHeaders(request, response);
 
         assertThat(response.getHeaderNames().size()).isEqualTo(2);
-        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache","no-store","max-age=0","must-revalidate"));
+        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache, no-store, max-age=0, must-revalidate"));
         assertThat(response.getHeaderValues("Pragma")).isEqualTo(Arrays.asList("no-cache"));
     }
 }