HTTP Header 'Authorization: Bearer eyJ0eXAiOiJK........7rkFMLiRXERZwkT0' is not allowed in responses

Question

After migrating to Play 2.6 I get this log warning:

HTTP Header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1.....
JYsNqGyU2iHU1sh3A6Gtk_4jY' is not allowed in responses,
you can turn off this warning by setting `play.server.akka.illegal-response-header-value-processing-mode = ignore`

According to this discussion: playframework/issues/7549 this should be resolved.

Also adding the proposed play.server.akka.illegal-response-header-value-processing-mode = ignore did not get rid of this message.

The Header is added by "com.pauldijou" %% "jwt-play" % "0.16.0".

Answer 1

You can get rid of the warning without adding akka.http.parsing.modeled-header-parsing = off:

Rename the request attribute Authorization to a name that is not an official request attribute, for example MyAuthorization.

In my case I needed to add this property:

play.http.session.jwtName="MyAuthorization"

Answer 2

It's closed as referrenced to akka, and fixed in akka, but akka HTTP with that fix still not merged into the play.

So https://github.com/playframework/playframework/issues/7549

Fixed as referenced to https://github.com/akka/akka-http/issues/1550

That is fixed by pool request https://github.com/akka/akka-http/pull/1577

The fix is introducing the akka.http.parsing.modeled-header-parsing settings, that handles the headers parsing in the akka. It looks like it needs to be set to off to fix your issue:

akka.http.parsing.modeled-header-parsing = off  

The akka-http setting right after the fix commit: https://github.com/jrudolph/akka-http/blob/f0aca4d7b9e09c63ebc7fc1ae0174b4102f6958d/akka-http-core/src/main/resources/reference.conf

But, this fix in akka still not integrated into play:

https://github.com/playframework/playframework/issues/7737 https://github.com/playframework/playframework/pull/8296