Home/ Questions/Q 8796473
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T23:37:52+00:00

Jersey client is not setting the origin header for me and I wonder if

  • 0

Jersey client is not setting the “origin” header for me and I wonder if I am missing anything.

String origin="http://www.localhost.com";
ClientResponse response= webResourceBuilder("my/endpoint")
            .header( "origin" , origin)
            .header("Access-Control-Request-Method", "POST")
            .header("xorigin", origin)
            .header("whatever", "test")
            .accept("application/xml")
            .get(ClientResponse.class);

When I inspect at runtime the request headers on the server side, I find “xorigin” and “whatever” headers, but not “origin” and “Access-Control-Request-Method”

How can I set these headers?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Default Jersey client uses HttpURLConnection to send requests to the server. HttpUrlConnection restricts some headers to be sent in a request, see:

    /*
 * Restrict setting of request headers through the public api
 * consistent with JavaScript XMLHttpRequest2 with a few
 * exceptions. Disallowed headers are silently ignored for
 * backwards compatibility reasons rather than throwing a
 * SecurityException. For example, some applets set the
 * Host header since old JREs did not implement HTTP 1.1.
 * Additionally, any header starting with Sec- is
 * disallowed.
 *
 * The following headers are allowed for historical reasons:
 *
 * Accept-Charset, Accept-Encoding, Cookie, Cookie2, Date,
 * Referer, TE, User-Agent, headers beginning with Proxy-.
 *
 * The following headers are allowed in a limited form:
 *
 * Connection: close
 *
 * See http://www.w3.org/TR/XMLHttpRequest2.
 */
private static final boolean allowRestrictedHeaders;
private static final Set<String> restrictedHeaderSet;
private static final String[] restrictedHeaders = {
    /* Restricted by XMLHttpRequest2 */
    //"Accept-Charset",
    //"Accept-Encoding",
    "Access-Control-Request-Headers",
    "Access-Control-Request-Method",
    "Connection", /* close is allowed */
    "Content-Length",
    //"Cookie",
    //"Cookie2",
    "Content-Transfer-Encoding",
    //"Date",
    //"Expect",
    "Host",
    "Keep-Alive",
    "Origin",
    // "Referer",
    // "TE",
    "Trailer",
    "Transfer-Encoding",
    "Upgrade",
    //"User-Agent",
    "Via"
};

    You have two options how to handle this situation:

    1. With the default Jersey client you need to set a system property

      -Dsun.net.http.allowRestrictedHeaders=true

      which suppresses removing restricted headers from the request.

    2. Use ApacheHttpClient/ApacheHttpClient4 which doesn’t seem to have this restriction. Simply add one of the following dependencies to your project:

      <dependency>
    <groupId>com.sun.jersey.contribs</groupId>
    <artifactId>jersey-apache-client</artifactId>
    <version>1.15</version>
</dependency>

      or

      <dependency>
    <groupId>com.sun.jersey.contribs</groupId>
    <artifactId>jersey-apache-client4</artifactId>
    <version>1.15</version>
</dependency>

      and then create your client like:

      ApacheHttpClient.create(com.sun.jersey.api.client.config.ClientConfig);

      or

      ApacheHttpClient4.create(com.sun.jersey.api.client.config.ClientConfig);
    • 0