Authorization key lookup in BearerTokenAuthenticationExtractor should be case insensitive

[Ata-Whisky]

Hello,

when BearerTokenAuthenticationExtractor extract authorization value from web-socket message payload case sensitivity of key matters. Aka when Authorization is used on server side as key and client sent authorization in payload it does not match.

Could it be possible to make key matching case insensitive?

[harshithsaiv]

I think we can make the key matching case-insensitive by creating a custom AuthenticationPayloadMatcher which will check for the authorization header in a case sensitive manner.

public class CaseInsensitiveBearer implements AuthenticationPayloadMatcher{
   private final String headerName;

    public CaseInsensitiveBearer(String headerName) {
        this.headerName = headerName.toLowerCase();
    }

    @Override
    public boolean matches(Map<String, Object> payload) {
        return payload.keySet().stream()
                .anyMatch(key -> key.toLowerCase().equals(headerName));
    }

    @Override
    public String extractAuthorization(Map<String, Object> payload) {
        return payload.entrySet().stream()
                .filter(entry -> entry.getKey().toLowerCase().equals(headerName))
                .map(entry -> entry.getValue().toString())
                .findFirst()
                .orElse(null);
    }
}

And when we are configuring Spring to make use of the CustomMarcher:

@Bean
public AuthenticationPayloadMatcher authenticationPayloadMatcher() {
        return new CaseInsensitiveBearer("Authorization");
    }

    @Bean
    public BearerTokenAuthenticationTokenResolver bearerTokenResolver() {
        return new BearerTokenAuthenticationTokenResolver();
    }

[Ata-Whisky]

You were faster :)

Yeah, I came to same conclusion. Some key matching strategy seems like better solution. It can be lambda passed to constructor or similar approach.