Something wrong with io.apiman.gateway.engine.beans.util.CaseInsensitiveStringMultiMap. The response headers start off with:
[Server=Jetty(9.2.19.v20160908), null, null, Date=Tue, 26 Sep 2017 16:08:00 GMT, null, Content-Type=text/html; charset=ISO-8859-1, null, null, null, X-RateMonitor-Limit=1000, null, WWW-Authenticate=Bearer realm="mytest", error="invalid_token", error_description="Token is not active", X-RateMonitor-Remaining=998, null, null, null, X-RateMonitor-Reset=3119, null, null, null, null, null, null, null, null, null, null, null, null, null, null, Cache-Control=must-revalidate,no-cache,no-store]
and after the CORS headers are merged, it's:
{Access-Control-Allow-Credentials => [true, Bearer realm="mytest", error="invalid_token", error_description="Token is not active"], Access-Control-Allow-Origin => [
http://blah.com, Jetty(9.2.19.v20160908)], Cache-Control => [must-revalidate,no-cache,no-store], Content-Type => [text/html; charset=ISO-8859-1], Date => [Tue, 26 Sep 2017 16:08:00 GMT], Server => [Jetty(9.2.19.v20160908)], WWW-Authenticate => [Bearer realm="mytest", error="invalid_token", error_description="Token is not active"], X-RateMonitor-Limit => [1000], X-RateMonitor-Remaining => [998], X-RateMonitor-Reset => [3119]}
The "Server" value and the Access-Control-Allow-Origin are somehow merged.