diff --git a/web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java b/web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java index 0916f1ffd9..72871f2b45 100644 --- a/web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java +++ b/web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -802,42 +802,42 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal @Override public Builder method(HttpMethod httpMethod) { - return this.delegate.method(httpMethod); + return new StrictFirewallBuilder(this.delegate.method(httpMethod)); } @Override public Builder uri(URI uri) { - return this.delegate.uri(uri); + return new StrictFirewallBuilder(this.delegate.uri(uri)); } @Override public Builder path(String path) { - return this.delegate.path(path); + return new StrictFirewallBuilder(this.delegate.path(path)); } @Override public Builder contextPath(String contextPath) { - return this.delegate.contextPath(contextPath); + return new StrictFirewallBuilder(this.delegate.contextPath(contextPath)); } @Override public Builder header(String headerName, String... headerValues) { - return this.delegate.header(headerName, headerValues); + return new StrictFirewallBuilder(this.delegate.header(headerName, headerValues)); } @Override public Builder headers(Consumer headersConsumer) { - return this.delegate.headers(headersConsumer); + return new StrictFirewallBuilder(this.delegate.headers(headersConsumer)); } @Override public Builder sslInfo(SslInfo sslInfo) { - return this.delegate.sslInfo(sslInfo); + return new StrictFirewallBuilder(this.delegate.sslInfo(sslInfo)); } @Override public Builder remoteAddress(InetSocketAddress remoteAddress) { - return this.delegate.remoteAddress(remoteAddress); + return new StrictFirewallBuilder(this.delegate.remoteAddress(remoteAddress)); } @Override diff --git a/web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java b/web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java index b8803bc0d1..8f24b0522c 100644 --- a/web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java +++ b/web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -534,4 +534,17 @@ class StrictServerWebExchangeFirewallTests { .isThrownBy(() -> headers.get(invalidHeaderName)); } + // gh-16978 + @Test + void getMutatedFirewalledExchangeHeadersGetHeaderWhenNotAllowedHeaderNameThenException() { + String invalidHeaderName = "bad name"; + this.firewall.setAllowedHeaderNames((name) -> !name.equals(invalidHeaderName)); + ServerWebExchange exchange = getFirewalledExchange(); + var mutatedRequest = exchange.getRequest().mutate().method(HttpMethod.POST).build(); + var mutatedExchange = exchange.mutate().request(mutatedRequest).build(); + HttpHeaders headers = mutatedExchange.getRequest().getHeaders(); + assertThatExceptionOfType(ServerExchangeRejectedException.class) + .isThrownBy(() -> headers.get(invalidHeaderName)); + } + }