13

What I want to do is, adding a new header to the response after the request is processed. I need to check the processed HttpStatus code (401 unauthorized in my case) and add a new header. I know Spring has interceptors, but the response cannot be modified as stated in the document:

Note that the postHandle method of HandlerInterceptor is not always ideally suited for use with @ResponseBody and ResponseEntity methods. In such cases an HttpMessageConverter writes to and commits the response before postHandle is called which makes it impossible to change the response, for example to add a header. Instead an application can implement ResponseBodyAdvice and either declare it as an @ControllerAdvice bean or configure it directly on RequestMappingHandlerAdapter.

Well, I implemented the ResponseBodyAdvice. Yes, it allows body modification, but I couldn't manage to modify the headers, event couldn't find the status code returned from the controller.

The other option, using servlet filters is not also successful. I need to add the header after filterChain.doFilter(servletRequest, servletResponse); call. But it again doesn't modify the header value. Is there a way to accomplish this easy task?

Improve this question
7
  • You said servlet filters. Where did you add your filter in the chain? Can you quickly check if stackoverflow.com/a/16191770/2231632 works for you? Commented Jun 8, 2015 at 7:05
  • I tried it. I'm adding the header after filterChain.doChain() because I need the status code information after the chain is completed. It doesn't work, Spring commits response and does not allow modification in the filter. Commented Jun 8, 2015 at 7:22
  • That isn't anything spring related, but plain java as soon as the response is already (partially) send to the client you cannot modify the header information anymore. You can only change it before that. But I assume you are returning the 401 yourself then why not simply do it at that location? Commented Jun 8, 2015 at 7:31
  • It's returned in various places. The document states modifying headers is possible not in the postHandle but some place else, I'm looking for that place and how to do that. Commented Jun 8, 2015 at 7:43
  • in the preHandle. As soon as the code is send nothing can be done about it anymore. Also isn't it a bit of a smell to have that all around the code base? Shouldn't security be done in a single location... Commented Jun 8, 2015 at 7:44

5 Answers 5

Reset to default
15

It sounds like you're on the right track with a servlet filter, what you probably need to do is wrap the servlet response object with one that detects when a 401 status code has been set and adds your custom header at that time:

HttpServletResponse wrappedResponse = new HttpServletResponseWrapper(response) {

  public void setStatus(int code) {
    super.setStatus(code);
    if(code == 401) handle401();
  }

  // three similar methods for the other setStatus and the two
  // versions of sendError

  private void handle401() {
    this.addHeader(...);
  }
};

filterChain.doFilter(request, wrappedResponse);
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

You would also have to override sendError methods and the additional (deprecated) setStatus message. Just to be sure that alla cases are captured.
@M.Denium yes indeed, as I indicated in my comment in the code. The implementation of these methods is left as an exercise for the reader...
Thank you for your answer, this solved my problem with the alfresco stack
What can one do if they dont call setStatus() since it is 200 be default when you respond with an object?
4

Well, I implemented the ResponseBodyAdvice. Yes, it allows body modification, but I couldn't manage to modify the headers, event couldn't find the status code returned from the controller.

Well, actually you can if you cast that ServerHttpResponse to ServletServerHttpResponse.

(It must be ServletServerHttpResponse based on the how the ResponseBodyAdvice is called , you can see that ServerHttpResponse passed to ResponseBodyAdvice is actually an ServletServerHttpResponse in this method).

So simply implement a ResponseBodyAdvice and no need to wrap the HttpServletResponse anymore : 

@ControllerAdvice
public class FooBodyAdvice implements ResponseBodyAdvice {

    @Override
    public boolean supports(MethodParameter returnType, Class converterType) {
        return true;
    }

    @Override
    public Object beforeBodyWrite(Object body, MethodParameter returnType, MediaType selectedContentType,
            Class selectedConverterType, ServerHttpRequest request, ServerHttpResponse response) {

        if(response instanceof  ServletServerHttpResponse) {

            ServletServerHttpResponse res= (ServletServerHttpResponse)(response);
            res.getServletResponse().getStatus(); //get the status code

            res.getHeaders().set("fooHeader", "fooValue"); //modify headers
            res.getHeaders().setETag("33a64df551425fcc55e4d42a148795d9f25f89d4") //use "type safe" methods to modify header 
        }

        return body;
    }
}
Improve this answer

Comments

3

Well, Java shows you the HTTP response as an Object for which you can alter the different fields independently.

But what is actually exchanged between the server and the client is a byte stream, and headers and sent before the body. That is the reason why the HttpResponse has the isCommitted() method : the response is committed when headers have been sent. And of course once it is committed, you can no longer add of modify headers. And the servlet container may commit and flush the response once enough characters have been written to the body.

So trying to change headers is unsafe after the request have been processed. It could work only if request has not been committed. The only case where it is safe is when the controller does not write the response itself and just forwards to a view. Then in the postHandle interceptor method, the response has not been committed, and you can change headers. Otherwise, you must test isCommitted(), and if it returns true ... then it is too late to change headers !

Of course in that case, neither an interceptor nor a filter could do anything ...

Improve this answer

Comments

2

If checking status code is not required then you can just add those headers on preHandle method (as Spring commits response before postHandle fires, so adding them in postHandle will not work for response returned from @ResponseBody marked controller method):

public class ControllerHandleInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
       if (handler instanceof HandlerMethod) {
          response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); 
          response.setHeader("Pragma", "no-cache"); 
          response.setHeader("Expires", "0"); 
       }

       return true;
    }

    // other code...
}
Improve this answer

Comments

0

You can implement a ServletFilter and just wrap the original response object.

This will allow you to defer the actual writing of the response and add your custom headers.

On the other hand: This looks a bit like the Spring Security Processing chain.

Improve this answer

2 Comments

Do you have any example for wrapping the response object?
As Ian Roberts stated below: docs.oracle.com/javaee/7/api/javax/servlet/http/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.