I setup a web application with Spring 3 and Resteasy; since my resources require authentication I am not allowed to use * as Access-Control-Allow-Origin. So I configured
org.jboss.resteasy.plugins.interceptors.CorsFilter
with the right origin domain. This works with a desktop client (Paw for Mac Os and others), but not with the browser (Chrome); the problem is that the response contains a double value for Access-Control-Allow-Origin, that is the one I configured and '*'.
CorsFilter is not to blame because, even if you configure more than one origin, it always puts just one value for the header, the one which the request asked for.
I simply have no idea on who's putting that extra (and wrong) header, any idea on where I could look for? Please note that the double header occurs on GET requests but not on OPTIONS requests.
I finally found out there is a proprietary MessageBodyWriterInterceptor in the classpath which does a wrong add header; now it's on me to remove that. One thing I learned is that if something happens only when there is a body to write, a good starting point is surely the rendering pipeline