Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1659

HttpServletResponseHeaders adds headers on putAll(), but should replace them



      MultivaluedMap interface assumes that putAll(Map<String, List<Object>> map) will replace all map keys with given values. This is a behaviour of e.g. javax.ws.rs.core.MultivaluedHashMap. Extrapolating that for headers means that headers should be replaced, not added the values.

      However org.jboss.resteasy.plugins.server.servlet.HttpServletResponseHeaders behaves differently. putAll method implementation delegates the call to add(String key, Object value) which appends values to existing headers in underlying HttpServletResponse.

      For example, if servlet container pre-initializes some headers like

      Pragma: No-cache

      and the same header is set via Response$ResponseBuilder#header(String name, Object value), the resulting response will have header like this:

      Pragma: No-cache, No-cache

      In most cases this does not affect the browser's behaviour, however there are some critical exceptions like CORS headers:

      Access-Control-Allow-Credentials: true, true

      This header will be discarded by browser and JavaScript application will misbehave.

      Expected: HttpServletResponseHeaders calls HttpServletResponse#setHeader(String name, String value) for 1st value in the list, and HttpServletResponse#addHeader(String name, String value) for any subsequent value in the list.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  rsearls r searls
                  dma_k Dmitry Katsubo
                • Votes:
                  0 Vote for this issue
                  4 Start watching this issue


                  • Created: