Fix header parsing for Authorization scheme.

Author: robotdan

build.savant

@@ -29,7 +29,7 @@ logbackVersion = "1.5.13"
 slf4jVersion = "2.0.13"
 testngVersion = "7.8.0"
 
-project(group: "org.primeframework", name: "prime-mvc", version: "5.5.0", licenses: ["ApacheV2_0"]) {
+project(group: "org.primeframework", name: "prime-mvc", version: "5.5.1", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

pom.xml

@@ -5,7 +5,7 @@
 
   <groupId>org.primeframework</groupId>
   <artifactId>prime-mvc</artifactId>
-  <version>5.5.0</version>
+  <version>5.5.1</version>
   <packaging>jar</packaging>
 
   <name>FusionAuth App</name>

src/main/java/org/primeframework/mvc/security/DefaultJWTRequestAdapter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2023, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2016-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,10 @@
  * @author Daniel DeGroff
  */
 public class DefaultJWTRequestAdapter implements JWTRequestAdapter {
+  private static final String BearerScheme = "bearer ";
+
+  private static final String JWTScheme = "jwt ";
+
   protected final HTTPRequest request;
 
   protected final HTTPResponse response;
@@ -52,11 +56,12 @@ public DefaultJWTRequestAdapter(HTTPRequest request, HTTPResponse response) {
   public String getEncodedJWT() {
     String authorization = request.getHeader("Authorization");
     if (authorization != null) {
-      // Support Bearer and JWT scheme
-      if (authorization.startsWith("Bearer ")) {
-        return authorization.substring("Bearer ".length());
-      } else if (authorization.startsWith("JWT ")) {
-        return authorization.substring("JWT ".length());
+      // Support Bearer and JWT scheme. The JWT scheme is only for backwards compatability with usage.
+      // - Match on scheme case-insensitive, but return the un-modified value.
+      if (authorization.toLowerCase().startsWith(BearerScheme)) {
+        return authorization.substring(BearerScheme.length());
+      } else if (authorization.toLowerCase().startsWith(JWTScheme)) {
+        return authorization.substring(JWTScheme.length());
       }
     }
 

src/test/java/org/primeframework/mvc/GlobalTest.java

@@ -783,12 +783,25 @@ public void get_jwtAuthorized() throws Exception {
                                  .assertHeaderContains("Cache-Control", "no-cache")
                                  .assertStatusCode(200));
 
+    // Test with JWT scheme, mixed case
+    test.simulate(() -> simulator.test("/jwt-authorized")
+                                 .withHeader("Authorization", "jWt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
+                                 .get()
+                                 .assertHeaderContains("Cache-Control", "no-cache")
+                                 .assertStatusCode(200));
+
     // Test with Bearer scheme
     test.simulate(() -> simulator.test("/jwt-authorized")
                                  .withHeader("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
                                  .get()
                                  .assertStatusCode(200));
 
+    // Test with Bearer scheme, mixed case
+    test.simulate(() -> simulator.test("/jwt-authorized")
+                                 .withHeader("Authorization", "bEaReR eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
+                                 .get()
+                                 .assertStatusCode(200));
+
     // Missing JWT w/ Bearer scheme
     test.simulate(() -> simulator.test("/jwt-authorized")
                                  .withHeader("Authorization", "Bearer ")