ServerHttpBasicAuthenticationConverter Validates Scheme Name

Fixes: gh-5414

Author: rwinch

web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java

@@ -41,7 +41,7 @@ public Mono<Authentication> apply(ServerWebExchange exchange) {
 		ServerHttpRequest request = exchange.getRequest();
 
 		String authorization = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
-		if(authorization == null) {
+		if(authorization == null || !authorization.toLowerCase().startsWith("basic ")) {
 			return Mono.empty();
 		}
 

web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java

@@ -79,6 +79,22 @@ public void applyWhenUserPasswordThenAuthentication() {
 		assertThat(authentication.getCredentials()).isEqualTo("password");
 	}
 
+	@Test
+	public void applyWhenLowercaseSchemeThenAuthentication() {
+		Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "basic dXNlcjpwYXNzd29yZA=="));
+
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
+		assertThat(authentication.getPrincipal()).isEqualTo("user");
+		assertThat(authentication.getCredentials()).isEqualTo("password");
+	}
+
+	@Test
+	public void applyWhenWrongSchemeThenAuthentication() {
+		Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "token dXNlcjpwYXNzd29yZA=="));
+
+		assertThat(result.block()).isNull();
+	}
+
 	private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) {
 		return this.converter.apply(MockServerWebExchange.from(this.request.build()));
 	}