Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1659

HttpServletResponseHeaders adds headers on putAll(), but should replace them


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 3.0.24.Final, 3.1.4.Final
    • 3.0.23.Final
    • jaxrs
    • None

      MultivaluedMap interface assumes that putAll(Map<String, List<Object>> map) will replace all map keys with given values. This is a behaviour of e.g. javax.ws.rs.core.MultivaluedHashMap. Extrapolating that for headers means that headers should be replaced, not added the values.

      However org.jboss.resteasy.plugins.server.servlet.HttpServletResponseHeaders behaves differently. putAll method implementation delegates the call to add(String key, Object value) which appends values to existing headers in underlying HttpServletResponse.

      For example, if servlet container pre-initializes some headers like

      Pragma: No-cache

      and the same header is set via Response$ResponseBuilder#header(String name, Object value), the resulting response will have header like this:

      Pragma: No-cache, No-cache

      In most cases this does not affect the browser's behaviour, however there are some critical exceptions like CORS headers:

      Access-Control-Allow-Credentials: true, true

      This header will be discarded by browser and JavaScript application will misbehave.

      Expected: HttpServletResponseHeaders calls HttpServletResponse#setHeader(String name, String value) for 1st value in the list, and HttpServletResponse#addHeader(String name, String value) for any subsequent value in the list.

            rsearls r searls
            dma_k Dmitry Katsubo (Inactive)
            0 Vote for this issue
            4 Start watching this issue