Spring Loading swallowing Access-Control-Request-Headers into OPTIONS pre-clauses

I have a WEST download application that has a very simple CORS filter. I want to be able to respond dynamically to the values ​​in the Access-Control-Request-Headers, not a specific list. Common wisdom seems to be to explicitly define the values ​​returned in "Access-Control-Allow-Headers", however we will be whitelisting a set of sources and want to allow any headers they send. I can't find a way to parrot to return the Access-Control-Allow-Headers value in the Access-Control-Request headers.

Here's the code

   @Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    throws IOException, ServletException {

    HttpServletResponse response = (HttpServletResponse) servletResponse;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, DELETE, OPTIONS"); // will need to enable other methods when/as implemented
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers",
        ((HttpServletRequest) servletRequest).getHeader("Access-Control-Request-Headers"));
    filterChain.doFilter(servletRequest, servletResponse);
}

      

        
        
        
      

    

With this request and response from Chrome (when we were hard-coded the Access-Control-Allow-Headers value)

Remote Address:10.199.240.16:443
Request URL:https://myapp.com/gradebooks/5566669e-e4b0-d05e-0150-98d7ffffffff/assignments/3ad7f1e7-679b-4d8b-856e-d2e3589eaad6
Request Method:OPTIONS
Status Code:200 OK

Response Headers
    view source
    Access-Control-Allow-Methods → POST, PUT, GET, DELETE, OPTIONS
    Access-Control-Max-Age → 3600
    Content-Type → application/hal+json; charset=UTF-8
    Date → Tue, 21 Jul 2015 20:42:29 GMT
    Server → Jetty(9.2.9.v20150224)
    Transfer-Encoding → chunked
    X-Application-Context → application

Request Headers
    view source
    Accept:*/*
    Accept-Encoding:gzip, deflate, sdch
    Accept-Language:en-US,en;q=0.8
    Access-Control-Request-Headers:accept, content-type
    Access-Control-Request-Method:PUT
    Connection:keep-alive
    Host:gbservices-api.dev-prsn.com
    Origin:http://localhost:3000
    Referer:http://localhost:3000/
    User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36

      

        
        
        
      

    

This is mistake

XMLHttpRequest cannot load https://myapp.com/gradebooks/5566669e-e4b0-d05e-0150-98d7ffffffff/assignments/3ad7f1e7-679b-4d8b-856e-d2e3589eaad6 . The Content-Type request header field is not allowed by Access-Control-Allow-Headers.

I found that the debug in the filter is that by the time it hits the filter, there are no Access-Control-Request headers and only that header. Misspell the header and it arrives, so it seems like something is intercepting the header and discarding it before it gets into my filter ...