DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34560 Summary: AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints Product: Tomcat 5 Version: 5.0.24 Platform: Other OS/Version: other Status: NEW Severity: major Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] The web.xml contains <security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>HTTP Non Protected Area</web-resource-name> <url-pattern>/favicon.ico</url-pattern> <url-pattern>*.gif</url-pattern> <url-pattern>*.js</url-pattern> <url-pattern>*.html</url-pattern> <url-pattern>*.css</url-pattern> <url-pattern>/css/*</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/js/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> Although it is https (CONFIDENTIAL), it doesn't have any <auth-constraint><role-name>... yet the valve FormAuthenticator (extends AuthenticatorBase, 5.0.24, line 458) only tests for existence of constraints, not roles: if ((constraints == null) /* && (!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) { if (log.isDebugEnabled()) log.debug(" Not subject to any constraint"); context.invokeNext(request, response); return; } // Make sure that constrained resources are not cached by web proxies // or browsers as caching can provide a security hole HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest(); if (disableProxyCaching && // FIXME: Disabled for Mozilla FORM support over SSL // (improper caching issue) //!hsrequest.isSecure() && !"POST".equalsIgnoreCase(hsrequest.getMethod())) { HttpServletResponse sresponse = (HttpServletResponse) response.getResponse(); sresponse.setHeader("Pragma", "No-cache"); sresponse.setHeader("Cache-Control", "no-cache"); sresponse.setHeader("Expires", DATE_ONE); } As a result, it is not allowing caching of static ressources in the patterns. (Slow site performance) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
