Timing for HeaderWriterFilter to writes headers changed in 4.2.5 breaks existing codes. #5193
Description
Summary
In Spring Security 4.2.4 or earlier, the HeaderWriterFilter writes headers before filter chin was processed.
However, commit f81b581#diff-57c0f670220b7f4e45a0d1252a99b482 in 4.2.5 changed the timing of header writing to response.onResponseCommitted phase. And this will break existing code which writes custom headers other than those defined in HeaderWriters. For example:
I have some URL intend to be embed in frames. In 4.2.4 or earlier, I can overwrite the default value from XFrameOptionsHeaderWriter as following :
public ModelAndView relogin(HttpServletResponse response) {
ModelAndView mav = new ModelAndView();
mav.setViewName("security/relogin");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); // overwrite `DENY` in XFrameOptionsHeaderWriter
return mav;
}Now I have no easy way to set X-Frame-Options to SAMEORIGIN in dedicate URLs while applying DENY to rest or the system.
Call sequence illustrated for above code snippet in 4.2.5.RELEASE:
HeaderWriterFilter.doFilterInternal
filterChain.doFilter
response.setHeader in contorller <- manual header writing here (X-Frame-Options=SAMEORIGIN)
response.onResponseCommitted <- HeaderWriters writes header here (X-Frame-Options=DENY)
Resulting X-Frame-Options=DENY.
Call sequence illustrated for 4.2.4.RELEASE and earlier:
HeaderWriterFilter.doFilterInternal <- HeaderWriters writes header here (X-Frame-Options=DENY)
filterChain.doFilter
response.setHeader in contorller <- manual header writing here (X-Frame-Options=SAMEORIGIN)
response.onResponseCommitted
Resulting X-Frame-Options=SAMEORIGIN as expected.
Actual Behavior
response.setHeader in controller code will not take effect as before.
Expected Behavior
Manual response.setHeader in controller code overwrites headers wrote by HeaderWriters.
Configuration
N/A
Version
4.2.5.RELEASE
Sample
N/A