From 1c22ec19e66380cba44df1fcd1d8fdb400b137a9 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Thu, 29 Oct 2015 16:51:49 -0500
Subject: [PATCH] SEC-3082: make SavedRequest parameters case sensitive

---
 .../web/savedrequest/DefaultSavedRequest.java         |  2 +-
 .../web/savedrequest/DefaultSavedRequestTests.java    | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
index 795642e13b..1ce9842379 100644
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@@ -57,7 +57,7 @@ public class DefaultSavedRequest implements SavedRequest {
     private final ArrayList<SavedCookie> cookies = new ArrayList<SavedCookie>();
     private final ArrayList<Locale> locales = new ArrayList<Locale>();
     private final Map<String, List<String>> headers = new TreeMap<String, List<String>>(String.CASE_INSENSITIVE_ORDER);
-    private final Map<String, String[]> parameters = new TreeMap<String, String[]>(String.CASE_INSENSITIVE_ORDER);
+    private final Map<String, String[]> parameters = new TreeMap<String, String[]>();
     private final String contextPath;
     private final String method;
     private final String pathInfo;
diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
index 2c1913df16..da14e7767e 100644
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@@ -30,12 +30,15 @@ public class DefaultSavedRequestTests {
         assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
     }
 
-    // TODO: Why are parameters case insensitive. I think this is a mistake
+    // SEC-3082
     @Test
-    public void parametersAreCaseInsensitive() throws Exception {
+    public void parametersAreCaseSensitive() throws Exception {
         MockHttpServletRequest request = new MockHttpServletRequest();
-        request.addParameter("ThisIsATest", "Hi mom");
-        DefaultSavedRequest saved = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443));
+        request.addParameter("AnotHerTest", "Hi dad");
+        request.addParameter("thisisatest", "Hi mom");
+        DefaultSavedRequest saved = new DefaultSavedRequest(request,
+                new MockPortResolver(8080, 8443));
         assertEquals("Hi mom", saved.getParameterValues("thisisatest")[0]);
+        assertNull(saved.getParameterValues("anothertest"));
     }
 }