Http Response headers missing in chrome, but with Postman they show up

By default CORS responses only exposes these 6 headers to scripts:

• Cache-Control
• Content-Language
• Content-Type
• Expires
• Last-Modified
• Pragma

To allow scripts to access other headers sent by the sever, the server needs to send the Access-Control-Expose-Headers Header.

The Access-Control-Expose-Headers response header indicates which headers can be exposed to scripts as part of the response by listing their names.

eg: Access-Control-Expose-Headers: Authorization, X-Foobar

You can tweak your web.xml file including this to allow the Authorization header to be accessed from the script that made the XHR:

<init-param>
  <param-name>cors.exposedHeaders</param-name>
  <par‌​am-value>Authorizati‌​on</param-value>
<ini‌​t-param>