Duplicate response headers with `ResponseEntity<Mono<T>>` (or Kotlin suspend function) controller method

[deftfitf]

Duplicate response headers with Kotlin suspend function returning ResponseEntity after header adapter optimization

Affects: Spring Framework 7.0.5 (Spring Boot 4.0.3)

Maybe introduced in: 7ea11baff9 (Pass-through handling of Servlet headers, gh-36334)

Description

After the Servlet header adapter optimization introduced in gh-36334, response headers are duplicated when a Kotlin suspend fun controller method returns ResponseEntity<T> in Spring WebMVC.

The root cause is in ResponseBodyEmitterReturnValueHandler.handleReturnValue(). In the non-streaming path (single-value reactive type adapted to DeferredResult), headers that are already present in the HttpServletResponse are read back through the adapter and re-added via addHeader(), resulting in every header appearing twice.

First, the header is copied here.

• spring-framework/spring-web/src/main/java/org/springframework/http/server/ServletServerHttpResponse.java

  Line 56 in 7ea11ba

  this.headers = new HttpHeaders(new ServletResponseHeadersAdapter(servletResponse));

The http header is also duplicated in the outputMessage.

• spring-framework/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/ResponseBodyEmitterReturnValueHandler.java

  Lines 189 to 191 in 188cb9b

  	HttpServletResponse response = webRequest.getNativeResponse(HttpServletResponse.class);
  	Assert.state(response != null, "No HttpServletResponse");
  	ServerHttpResponse outputMessage = new ServletServerHttpResponse(response);

response.addHeader causes a duplicate header in the original response.

• spring-framework/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/ResponseBodyEmitterReturnValueHandler.java

  Lines 218 to 222 in 188cb9b

  	outputMessage.getHeaders().forEach((headerName, headerValues) -> {
  	for (String headerValue : headerValues) {
  	response.addHeader(headerName, headerValue);
  	}
  	});

Steps to Reproduce

1. Configure a CorsFilter or @CrossOrigin annotation
2. Define a Kotlin suspend controller that returns ResponseEntity<T>:

@RestController
class MyController {

    @GetMapping("/example")
    suspend fun example(): ResponseEntity<String> {
        return ResponseEntity.ok()
            .header("X-Custom", "value")
            .body("hello")
    }
}

3. Send a cross-origin request to /example
4. Observe the response headers

Expected Behavior

Each header appears once in the response

Actual Behavior

Headers are duplicated

[rstoyanchev]

I can confirm the issue, but a couple of questions.

CorsFilter plays no role in the issue, does it? Also, simply creating ServletServetHttpResponse does not copy headers. It's only calls to set, add, or put in HttpHeaders that are now mapped to ServletResponse header methods.

As far as I can see the issue is all in ResponseBodyEmitterReturnValueHandler. It puts the headers once, and then it writes them again if we are not going to stream.

[deftfitf]

Sorry for the confusion. Yes, CorsFilter was not the direct cause. It was just one of the factors that led us to discover this issue, as the duplicated CORS headers caused a browser error.

I was in a bit of a hurry with the other parts as well, so I'm sorry if there are some mistakes!

Thank you for addressing the problematic parts!

[rstoyanchev]

No worries, I was just making sure I didn't miss anything.