Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1659

HttpServletResponseHeaders adds headers on putAll(), but should replace them

    XMLWordPrintable

    Details

      Description

      MultivaluedMap interface assumes that putAll(Map<String, List<Object>> map) will replace all map keys with given values. This is a behaviour of e.g. javax.ws.rs.core.MultivaluedHashMap. Extrapolating that for headers means that headers should be replaced, not added the values.

      However org.jboss.resteasy.plugins.server.servlet.HttpServletResponseHeaders behaves differently. putAll method implementation delegates the call to add(String key, Object value) which appends values to existing headers in underlying HttpServletResponse.

      For example, if servlet container pre-initializes some headers like

      Pragma: No-cache
      

      and the same header is set via Response$ResponseBuilder#header(String name, Object value), the resulting response will have header like this:

      Pragma: No-cache, No-cache
      

      In most cases this does not affect the browser's behaviour, however there are some critical exceptions like CORS headers:

      Access-Control-Allow-Credentials: true, true
      

      This header will be discarded by browser and JavaScript application will misbehave.

      Expected: HttpServletResponseHeaders calls HttpServletResponse#setHeader(String name, String value) for 1st value in the list, and HttpServletResponse#addHeader(String name, String value) for any subsequent value in the list.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rsearls r searls
                  Reporter:
                  dma_k Dmitry Katsubo
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: