BasicAuthenticationFilter case insenstive

Fixes: gh-5616

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

@@ -154,7 +154,7 @@ public class BasicAuthenticationFilter extends OncePerRequestFilter {
 
 		String header = request.getHeader("Authorization");
 
-		if (header == null || !header.startsWith("Basic ")) {
+		if (header == null || !header.toLowerCase().startsWith("basic ")) {
 			chain.doFilter(request, response);
 			return;
 		}

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java

@@ -156,6 +156,26 @@ public class BasicAuthenticationFilterTests {
 				.isEqualTo("rod");
 	}
 
+	// gh-5586
+	@Test
+	public void doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks() throws Exception {
+		String token = "rod:koala";
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addHeader("Authorization",
+				"basic " + new String(Base64.encodeBase64(token.getBytes())));
+		request.setServletPath("/some_file.html");
+
+		// Test
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+		FilterChain chain = mock(FilterChain.class);
+		filter.doFilter(request, new MockHttpServletResponse(), chain);
+
+		verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
+		assertThat(SecurityContextHolder.getContext().getAuthentication().getName())
+				.isEqualTo("rod");
+	}
+
 	@Test
 	public void testOtherAuthorizationSchemeIsIgnored() throws Exception {