SecurityResponse only accept single header values

[peternied]

As part of the abstraction [1] of SecurityRequest/SecurityResponse, changes were made for how headers were processed. OpenSearch's RestRequest object treats headers as a Map<String, List<String>> whereas in the refactor this was simplified to Map<String, String> This has caused some plugins that extend behavior of the security plugin to be broken.

SecurityResponse classes should switch to a Map<String, List<String>> representation so workarounds aren't needed in downstream consumers.

• [1] Expanding Authentication with SecurityRequest Abstraction #3430

Acceptance Criteria

• Read up on duplicate header entries and how they are handled
  • Confirm if a refactor is needed or if this can be done via another method (comma delimited?) StackOverflow
• Update SecurityResponse from Map<String, String> headers; to Map<String, List<String>> headers;
• Fix all impacted areas of the codebase
• Add tests that use and verify duplicate header entries

[kumjiten]

LGTM,
based on stackOverflow mentioned sending multiple value as comma separated in single value means whoever extends this has to write this logic of preparing the single value separated by comma for multi value header which I feel overhead.

[shikharj05]

Thanks for creating this issue. This sounds like an appropriate change; as it would also be in-line with RestResponse class in OpenSearch core- https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/rest/RestResponse.java#L54

[stephen-crawford]

[Triage] Thank you for filing this issue @peternied. This looks good to go.