MultivaluedMap interface assumes that putAll(Map<String, List<Object>> map) will replace all map keys with given values. This is a behaviour of e.g. javax.ws.rs.core.MultivaluedHashMap. Extrapolating that for headers means that headers should be replaced, not added the values.

However org.jboss.resteasy.plugins.server.servlet.HttpServletResponseHeaders behaves differently. putAll method implementation delegates the call to add(String key, Object value) which appends values to existing headers in underlying HttpServletResponse.

For example, if servlet container pre-initializes some headers like

Pragma: No-cache

and the same header is set via Response$ResponseBuilder#header(String name, Object value), the resulting response will have header like this:

Pragma: No-cache, No-cache

In most cases this does not affect the browser's behaviour, however there are some critical exceptions like CORS headers:

Access-Control-Allow-Credentials: true, true

This header will be discarded by browser and JavaScript application will misbehave.

Expected: HttpServletResponseHeaders calls HttpServletResponse#setHeader(String name, String value) for 1st value in the list, and HttpServletResponse#addHeader(String name, String value) for any subsequent value in the list.