Open vpavic opened 2 years ago
Hi @vpavic, thanks for the report.
There is a reason for this on https://github.com/spring-projects/spring-security/issues/5499. Do you think that scenario makes sense?
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Sorry for the late reply.
I ran into the issue you linked (and some other related ones) shortly after opening this. Overall, I think the arrangement does make sense, but the point that I tried to make is that it's still possible for HeaderWriterFilter
to attempt to write headers from an include.
Assuming the request that invokes RequestDispatcher#include
itself isn't filtered by HeaderWriterFilter
, but the one that is being included is, HeaderWriterFilter#writeHeaders
will end up being called but headers won't be written to the response by the container (because the spec states that attempt to set the headers must be ignored in such case).
To make things more explicit, and avoid any confusion that might come as a result of the fact that HeaderWriterFilter#writeHeaders
is called but response headers are not written, HeaderWriterFilter
could override OncePerRequestFilter#shouldNotFilter
and skip filtering for requests of include dispatcher type.
Servlet spec states that include dispatch:
HeaderWriterFilter
appears to be at odds with this as it invokesHeaderWriterResponse#onResponseCommitted
inHeaderWriterRequestDispatcher#include
, which in turn callsHeaderWriterResponse#writeHeaders
.