Fix headers@defaults-disabled=true with no children

Previously <headers defaults-disabled="true"/> would fail if there were
no children with an IllegalArgumentException. This allows using
defaults-disabled="true" and no children as an alias for disabled="true".

Fixes gh-3986

config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java

@@ -111,13 +111,13 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
 
 		parseHeaderElements(element);
 
-		if (disabled) {
-			if (!headerWriters.isEmpty()) {
-				parserContext
-						.getReaderContext()
-						.error("Cannot specify <headers disabled=\"true\"> with child elements.",
-								element);
-			}
+		boolean noWriters = headerWriters.isEmpty();
+		if (disabled && !noWriters) {
+			parserContext
+				.getReaderContext()
+				.error("Cannot specify <headers disabled=\"true\"> with child elements.",
+						element);
+		} else if (noWriters) {
 			return null;
 		}
 

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -109,6 +109,18 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
 
 	// --- defaults disabled
 
+	// gh-3986
+	def 'http headers defaults-disabled with no override'() {
+		httpAutoConfig {
+			'headers'('defaults-disabled':true) {
+			}
+		}
+		createAppContext()
+
+		expect:
+		getFilter(HeaderWriterFilter) == null
+	}
+
 	def 'http headers content-type-options'() {
 		httpAutoConfig {
 			'headers'('defaults-disabled':true) {