SEC-2321: Refine to use X-Requested-With: XMLHttpRequest

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -89,7 +89,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
         realmName(DEFAULT_REALM);
 
         LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>();
-        entryPoints.put(new RequestHeaderRequestMatcher("X-Requested-With"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+        entryPoints.put(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
 
         DelegatingAuthenticationEntryPoint defaultEntryPoint = new DelegatingAuthenticationEntryPoint(entryPoints);
         defaultEntryPoint.setDefaultEntryPoint(basicAuthEntryPoint);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java

@@ -126,7 +126,7 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
         jsonRequest.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
         RequestMatcher notJson = new NegatedRequestMatcher(jsonRequest);
 
-        RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With"));
+        RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"));
         return new AndRequestMatcher(getRequests, notFavIcon, notJson, notXRequestedWith);
     }
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy

@@ -138,10 +138,10 @@ class RequestCacheConfigurerTests extends BaseSpringSpec {
     }
 
     @Unroll
-    def "RequestCache saves Accept: #accept"() {
+    def "RequestCache saves #headerName: #headerValue"() {
         setup:
             loadConfig(RequestCacheDefautlsConfig)
-            request.addHeader("Accept", accept)
+            request.addHeader(headerName, headerValue)
             request.method = "GET"
             request.servletPath = "/messages"
             request.requestURI = "/messages"
@@ -157,7 +157,9 @@ class RequestCacheConfigurerTests extends BaseSpringSpec {
             response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
             response.redirectedUrl == "http://localhost/messages"
         where:
-            accept << [MediaType.ALL_VALUE, MediaType.TEXT_HTML, "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]
+            headerName << ["Accept", "Accept", "Accept", "X-Requested-With"]
+            headerValue << [MediaType.ALL_VALUE, MediaType.TEXT_HTML, "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","com.android"]
+
     }
 
     @Configuration