SEC-2330: CacheControlHeadersWriter use a single header

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -388,7 +388,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
     def assertHeaders(MockHttpServletResponse response, Map<String,String> expected) {
         assert response.headerNames == expected.keySet()
         expected.each { headerName, value ->
-            assert response.getHeaderValues(headerName) == value.split(',')
+            assert response.getHeaderValues(headerName) == [value]
         }
     }
 }

web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java

@@ -42,7 +42,7 @@ public final class CacheControlHeadersWriter extends StaticHeadersWriter {
 
     private static List<Header> createHeaders() {
         List<Header> headers = new ArrayList<Header>(2);
-        headers.add(new Header("Cache-Control","no-cache","no-store","max-age=0","must-revalidate"));
+        headers.add(new Header("Cache-Control","no-cache, no-store, max-age=0, must-revalidate"));
         headers.add(new Header("Pragma","no-cache"));
         return headers;
     }

web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java

@@ -48,7 +48,7 @@ public class CacheControlHeadersWriterTests {
         writer.writeHeaders(request, response);
 
         assertThat(response.getHeaderNames().size()).isEqualTo(2);
-        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache","no-store","max-age=0","must-revalidate"));
+        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache, no-store, max-age=0, must-revalidate"));
         assertThat(response.getHeaderValues("Pragma")).isEqualTo(Arrays.asList("no-cache"));
     }
 }