fix: exclude unsupported response types in exception (#2329)

* fix: exclude unsupported response types in exception

- avoid logging or echoing unsantized input from the request
- this mirrors the change made to AuthorizationEndpoint in
spring-security-oauth2 2.5.2.RELEASE, see:
spring-attic/spring-security-oauth@2b58aaf

Change-Id: Id93034bc69355fcf988c56827fa65c70338694cf

* fix: allow bearer or Bearer for Authentication header

- apparently the whitespace is being trimmed off by spring in the xml
so the request matcher isn't doing a case insensitive comparison when
the header value is Bearer

Change-Id: I0f93cc2a0ebf364560687c4e57887a100753dd2d

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java

@@ -182,7 +182,7 @@ public ModelAndView authorize(Map<String, Object> model,
         String grantType = deriveGrantTypeFromResponseType(responseTypes);
 
         if (!supported_response_types.containsAll(responseTypes)) {
-            throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
+            throw new UnsupportedResponseTypeException("Unsupported response types");
         }
 
         if (authorizationRequest.getClientId() == null) {

server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java

@@ -135,7 +135,7 @@ else if (!matchesHeader(requestValue, expectedHeaderEntry.getValue())) {
 
     private boolean matchesHeader(String requestValue, List<String> expectedValues) {
         for (String headerValue : expectedValues) {
-            if ("bearer ".equalsIgnoreCase(headerValue)) {
+            if ("bearer".equalsIgnoreCase(headerValue.trim())) {
                 //case insensitive for Authorization: Bearer match
                 if (requestValue == null || !requestValue.toLowerCase().startsWith(headerValue)) {
                     return false;