`HeaderWriterFilter` appears to be violating Servlet spec

[vpavic]

Servlet spec states that include dispatch:

... cannot set headers or call any method that affects the headers of the response... Any attempt to set the headers must be ignored...

HeaderWriterFilter appears to be at odds with this as it invokes HeaderWriterResponse#onResponseCommitted in HeaderWriterRequestDispatcher#include, which in turn calls HeaderWriterResponse#writeHeaders.

[marcusdacoregio]

Hi @vpavic, thanks for the report.

There is a reason for this on https://github.com/spring-projects/spring-security/issues/5499. Do you think that scenario makes sense?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[vpavic]

Sorry for the late reply.

I ran into the issue you linked (and some other related ones) shortly after opening this. Overall, I think the arrangement does make sense, but the point that I tried to make is that it's still possible for HeaderWriterFilter to attempt to write headers from an include.

Assuming the request that invokes RequestDispatcher#include itself isn't filtered by HeaderWriterFilter, but the one that is being included is, HeaderWriterFilter#writeHeaders will end up being called but headers won't be written to the response by the container (because the spec states that attempt to set the headers must be ignored in such case).

To make things more explicit, and avoid any confusion that might come as a result of the fact that HeaderWriterFilter#writeHeaders is called but response headers are not written, HeaderWriterFilter could override OncePerRequestFilter#shouldNotFilter and skip filtering for requests of include dispatcher type.