I am trying to add some custom header parameters to a HTTP 303 (redirect) response. However, the new headers seem to be getting stripped from the response.

This code is meant to receive a request and returns a HTTP 303 response:

@POST
@Path("/authorize")
@Produces("application/x-www-form-urlencoded")
public Response getOAuthGrant(@HeaderParam(OAuth2.AUTHORIZATION)    @DefaultValue("") String authorization,
                              @HeaderParam(OAuth2.CLIENT_ID)        @DefaultValue("") String clientId,
                              @HeaderParam(OAuth2.CLIENT_SECRET)    @DefaultValue("") String clientSecret,
                              @HeaderParam(OAuth2.GRANT_TYPE)       @DefaultValue("") String grantType) throws InternalServerException, UnauthorizedException {

        OAuth2.validateGrantRequest(clientId, clientSecret, authorization, grantType);

        ApiTokenV2 apiTokenV2 = new ApiTokenV2();

        try {
            apiTokenV2 = TokenManager.getApiToken(clientId);

            if (apiTokenV2 != null) {
                apiTokenV2.generateAccessGrant(clientId);
            } else {
                logger.error("Error in TokenEndpoint. Retrieved token is null.");
                throw new InternalServerException("A server error occurred while trying to authorize the requester. Could not find 'generateAccessGrant' method");
            } 
        } catch (NamingException e) {
            throw new InternalServerException("A server error occurred while trying to authorize grant request. Could not find 'generateAccessGrant' method.", e);
        }

        return Response.status(Response.Status.SEE_OTHER)
                       .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
                       .header("Location", "/api/token")
                       .header("Authorization", "OAuth")
                       .header("Access-Grant", apiTokenV2.getAccessGrant())
                       .build();
}

What am I doing wrong here? Should I be using @Context instead?

What you are trying to do should work.

@POST
@Path("/authorize")
public Response authorize() {
    return Response.status(Response.Status.SEE_OTHER)
            .header(HttpHeaders.LOCATION, "/api/token")
            .header("X-Foo", "bar")
            .build();
}

Executing it with curl:

% curl -v -X POST http://localhost:8080/WebApplication1/rest/console/authorize
* About to connect() to localhost port 8080 (#0)
*   Trying ::1... connected
> POST /WebApplication1/rest/console/authorize HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 303 See Other
< X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Oracle Corporation/1.7)
< Server: GlassFish Server Open Source Edition 3.1.2.2
< Location: /api/token
< X-Foo: bar
< Content-Length: 0
< Date: Wed, 07 Nov 2012 08:20:24 GMT
< 
* Connection #0 to host localhost left intact
* Closing connection #0

As you can see, the response code is

303 See Other

and the interesing headers are set:

Location: /api/token
X-Foo: bar