Merge branch '5.8.x' into 6.0.x

Closes gh-13000

web/src/main/java/org/springframework/security/web/FilterInvocation.java

@@ -26,6 +26,7 @@ import java.lang.reflect.Proxy;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 
 import jakarta.servlet.FilterChain;
@@ -257,7 +258,11 @@ public class FilterInvocation {
 
 		@Override
 		public Enumeration<String> getHeaders(String name) {
-			return Collections.enumeration(this.headers.get(name));
+			List<String> headerList = this.headers.get(name);
+			if (headerList == null) {
+				return Collections.emptyEnumeration();
+			}
+			return Collections.enumeration(headerList);
 		}
 
 		@Override

web/src/test/java/org/springframework/security/web/FilterInvocationTests.java

@@ -16,6 +16,9 @@
 
 package org.springframework.security.web;
 
+import java.util.Enumeration;
+import java.util.NoSuchElementException;
+
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -141,4 +144,23 @@ public class FilterInvocationTests {
 		assertThat(filterInvocation.getRequest().getServletContext()).isSameAs(mockServletContext);
 	}
 
+	@Test
+	public void testDummyRequestGetHeaders() {
+		DummyRequest request = new DummyRequest();
+		request.addHeader("known", "val");
+		Enumeration<String> headers = request.getHeaders("known");
+		assertThat(headers.hasMoreElements()).isTrue();
+		assertThat(headers.nextElement()).isEqualTo("val");
+		assertThat(headers.hasMoreElements()).isFalse();
+		assertThatExceptionOfType(NoSuchElementException.class).isThrownBy(headers::nextElement);
+	}
+
+	@Test
+	public void testDummyRequestGetHeadersNull() {
+		DummyRequest request = new DummyRequest();
+		Enumeration<String> headers = request.getHeaders("unknown");
+		assertThat(headers.hasMoreElements()).isFalse();
+		assertThatExceptionOfType(NoSuchElementException.class).isThrownBy(headers::nextElement);
+	}
+
 }