Spring Security Updating to spring-security-web-6.3.4 breaks http request header mutation feature

We use org.springframework.http.server.reactive.ServerHttpRequest#mutate to add a header into a HTTP request in a class extending AbstractGatewayFilterFactory.

@Override
    public GatewayFilter apply(Config config) {
return (exchange, chain) -> {
...
...
...
ServerHttpRequest request = exchange.getRequest().mutate()
        .headers(httpHeaders -> {
            LOG.info("httpHeaders: {} type: {}", httpHeaders, httpHeaders.getClass());
            httpHeaders.put("key", Collections.singletonList(value));
        }).build();
...
};
}

This used to work before with spring-security-web < 6.3.4.

Here, type of httpHeaders is org.springframework.security.web.server.firewall.StrictServerWebExchangeFirewall$StrictFirewallServerWebExchange$StrictFirewallHttpRequest$StrictFirewallHttpHeaders.

After updating the library, getting following error:

[main-router-bc8d97cb5-rfx2r/main] 2024-11-04T12:37:17.079Z ERROR 1 --- [or-http-epoll-5] o.z.problem.spring.common.AdviceTraits   : Not Implemented
[main-router-bc8d97cb5-rfx2r/main] 
[main-router-bc8d97cb5-rfx2r/main] java.lang.UnsupportedOperationException: null
[main-router-bc8d97cb5-rfx2r/main]  at org.springframework.http.ReadOnlyHttpHeaders.put(ReadOnlyHttpHeaders.java:130) ~[spring-web-6.1.14.jar!/:6.1.14]
[main-router-bc8d97cb5-rfx2r/main]  at org.springframework.http.ReadOnlyHttpHeaders.put(ReadOnlyHttpHeaders.java:39) ~[spring-web-6.1.14.jar!/:6.1.14]
[main-router-bc8d97cb5-rfx2r/main]  at org.springframework.http.HttpHeaders.put(HttpHeaders.java:1779) ~[spring-web-6.1.14.jar!/:6.1.14]
[main-router-bc8d97cb5-rfx2r/main]  at com.hcl.products.onetest.gateway.filters.SecurityGatewayFilterFactory.lambda$apply$1(SecurityGatewayFilterFactory.java:62) ~[!/:na]
[main-router-bc8d97cb5-rfx2r/main]  at org.springframework.http.server.reactive.DefaultServerHttpRequestBuilder.headers(DefaultServerHttpRequestBuilder.java:117) ~[spring-web-6.1.14.jar!/:6.1.14]

Not sure why StrictFirewallHttpHeaders are being treated as ReadOnlyHttpHeaders.

Expected behavior is to be able to add a header into http request.

Please let me know if any other information required in this regard.

Comment From: rwinch

Thanks for the report @Omkar-Shetkar this is a duplicate of https://github.com/spring-projects/spring-security/issues/15989 ( workaround https://github.com/spring-projects/spring-security/issues/15989#issuecomment-2442660753 ) which is superseded by https://github.com/spring-projects/spring-framework/issues/33789

Comment From: Omkar-Shetkar

That's very helpful @rwinch. Thank you.