Re: Form Authentication and Cache-Control

Tue, 16 Jul 2013 00:56:29 -0700 

Hi.
I've solved my problem. The correct attitude is to have all contexts unauthenticated and only few restrict. In my case restricted urls are /index.jsp, /admin/*, /user/* 


In the original web.xml I had all contexts restricted and static context 
/common/* was masked out. Although the /common/* was not under 
authetication, Tomcat was adding the Cache-Control: private, Expires: 
1.1.1970 headers.

So I personally think this is a bug.

Thanks to Christopher Schultz who gave me a clue.

Jan.




===========
My aps has these part
/*          - common authenticated content
/user/* - content for user
/admin/* - content for admin
/common/* - common unauthenticated static content like images, css, etc

My web.xml

<security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-admin-role</role-name>
      <role-name>myapp-user-role</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-admin-role</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/user/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-user-role</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- do not authenticate common -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
  </security-constraint>


  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
     <role-name>myapp-admin-role</role-name>
   </security-role>
   <security-role>
     <role-name>myapp-user-role</role-name>
  </security-role>


Jan.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to