From 4144de93765dc7fb00c87fdf065def0d370f73e6 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Thu, 29 Oct 2015 16:36:20 -0500
Subject: [PATCH] SEC-3082: make SavedRequest parameters case sensitive

---
 .../security/web/savedrequest/DefaultSavedRequest.java    | 3 +--
 .../web/savedrequest/DefaultSavedRequestTests.java        | 8 +++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
index 30f9ad0a76..ebdcb2bbe5 100644
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@@ -62,8 +62,7 @@ public class DefaultSavedRequest implements SavedRequest {
 	private final ArrayList<Locale> locales = new ArrayList<Locale>();
 	private final Map<String, List<String>> headers = new TreeMap<String, List<String>>(
 			String.CASE_INSENSITIVE_ORDER);
-	private final Map<String, String[]> parameters = new TreeMap<String, String[]>(
-			String.CASE_INSENSITIVE_ORDER);
+	private final Map<String, String[]> parameters = new TreeMap<String, String[]>();
 	private final String contextPath;
 	private final String method;
 	private final String pathInfo;
diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
index 9752b05452..12f7251fd3 100644
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@@ -32,13 +32,15 @@ public class DefaultSavedRequestTests {
 		assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
 	}
 
-	// TODO: Why are parameters case insensitive. I think this is a mistake
+	// SEC-3082
 	@Test
-	public void parametersAreCaseInsensitive() throws Exception {
+	public void parametersAreCaseSensitive() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.addParameter("ThisIsATest", "Hi mom");
+		request.addParameter("AnotHerTest", "Hi dad");
+		request.addParameter("thisisatest", "Hi mom");
 		DefaultSavedRequest saved = new DefaultSavedRequest(request,
 				new MockPortResolver(8080, 8443));
 		assertEquals("Hi mom", saved.getParameterValues("thisisatest")[0]);
+		assertNull(saved.getParameterValues("anothertest"));
 	}
 }