Don't cache requests with Accept: text/event-stream by default.

The eventstream requests is typically not directly invoked by the browser.
And even more unfortunately the Browser-Api doesn't allow the set additional headers as `XMLHttpRequest`..

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java

@@ -162,6 +162,7 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
 		matchers.add(notMatchingMediaType(http, MediaType.APPLICATION_JSON));
 		matchers.add(notXRequestedWith);
 		matchers.add(notMatchingMediaType(http, MediaType.MULTIPART_FORM_DATA));
+		matchers.add(notMatchingMediaType(http, MediaType.TEXT_EVENT_STREAM));
 
 		return new AndRequestMatcher(matchers);
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java

@@ -183,6 +183,21 @@ public class RequestCacheConfigurerTests {
 
 		//  This is desirable since XHR requests are typically not invoked directly from the browser and we don't want the browser to replay them
 	}
+	@Test
+	public void getWhenBookmarkedRequestIsTextEventStreamThenPostAuthenticationRedirectsToRoot() throws Exception {
+		this.spring.register(RequestCacheDefaultsConfig.class, DefaultSecurityConfig.class).autowire();
+
+		MockHttpSession session = (MockHttpSession)
+				this.mvc.perform(get("/messages")
+						.header(HttpHeaders.ACCEPT, MediaType.TEXT_EVENT_STREAM))
+						.andExpect(redirectedUrl("http://localhost/login"))
+						.andReturn().getRequest().getSession();
+
+		this.mvc.perform(formLogin(session))
+				.andExpect(redirectedUrl("/")); // ignores text/event-stream
+
+		//  This is desirable since event-stream requests are typically not invoked directly from the browser and we don't want the browser to replay them
+	}
 
 	@Test
 	public void getWhenBookmarkedRequestIsAllMediaTypeThenPostAuthenticationRemembers() throws Exception {