HttpEntityMethodProcessor discards headers [SPR-15952]

[spring-projects-issues]

Nestor Tarin Burriel opened SPR-15952 and commented

When upgrading to spring webmvc from version 4.2.9 to version 4.3.9, we have detected an issue when adding cookies to the response entity from a controller.

In the HttpEntityMethodProcessor class, when handling the return value, if the ServletServerHttpResponse contains already the header that is added to the entityHeaders object, it won't be added to the outputHeaders.

This scenario happens when for example the JSESSIONID cookie is added to the response header before calling a controller and then when the controller tries to add an extra cookie it is ignored due to the described behaviour.

By comparing versions 4.2.x and 4.3.x:

version 4.2.x

public void handleReturnValue(...) {
  ...
  HttpHeaders entityHeaders = responseEntity.getHeaders();
  if (!entityHeaders.isEmpty()) {
    outputMessage.getHeaders().putAll(entityHeaders);
  }
  ...
}

version 4.3.x

public void handleReturnValue(...) {
  ...
  if (!entityHeaders.isEmpty()) {
    for (Map.Entry<String, List<String>> entry : entityHeaders.entrySet()) {
      if (!outputHeaders.containsKey(entry.getKey())) {
        outputHeaders.put(entry.getKey(), entry.getValue());
      }
    }
  }
  ...
}

I set the bug level to critical as is blocking us to upgrade from 4.2 to 4.3, but you can decide which level suits you better.

Kind regards,

Néstor

---

Affects: 4.3.9

Issue Links:

• Support for HTTP Vary configuration (e.g. in reaction to locale-based rendering) [SPR-14070] #18642 Support for HTTP Vary configuration (e.g. in reaction to locale-based rendering)

Referenced from: commits 5bdcb89, dedecb9

Backported to: 4.3.12

[spring-projects-issues]

Juergen Hoeller commented

This seems to be a side effect of #18642. We'll revisit this for 4.3.12.