-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/17/18 4:09 AM, Mark Thomas wrote: > On 16/08/18 13:40, Martynas Jusevičius wrote: >> Hi, >> >> my initial observations suggest, and SO post [1] seems to >> confirm, that when >> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> >> is specified on a security-constraint in web.xml, Tomcat does two >> things: 1. automatically redirects to HTTPS 2. appends >> Cache-Control: private and Expires: Thu, 01 Jan 1970 01:00:00 CET >> response headers >> >> Is that correct? > > It is broader than that. Tomcat adds those headers to any resource > that is protected by any security constraint. > >> I had added the CONFIDENTIAL because I want the redirect to >> HTTPS. What I don't want is Tomcat overriding my caching headers >> and effectively disabling browser caching. > > Those headers shouldn't disable browser caching. Expires: 1970 certainly effectively disables browsed caching. > They will mean the client has to revalidate the request. How > relatively expensive that is will depend on the resources. > >> Why in the world would those two things be conflated? > > Security. Any resource protected by a security constraint should > not be stored in a shared cache else information disclosure could > occur. I'm curious, too: I can understand the "Cache-Control" header, but why the "Expires" one? What about some CSS file that can surely be cached by the browser? >> And how do I disable this header override behavior? >> >> Does disableProxyCaching attribute need to be set to false to in >> order to do that? [2] > > That would work. The consequence is that the application has to > take responsibility for setting all of the caching headers - > including those served by container servlets such as static > resources and JSPs. Is it possible for a servlet to override a single header -- say, the "Expires" header? It might be nice to have a facility to allow applications to override maybe just this one header (or, optionally, just one *other* header). I glossed-over the servlet spec and I don't see much in the way of proscriptions for precisely how to handle security-constraints e.g. when it comes to setting headers. This is an academic question for me... all of our static resources are served by httpd and not Tomcat, so those headers that are advantageous for caching are handled there and not in Tomcat. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt21EkACgkQHPApP6U8 pFiJBRAAx/e2eagrr6OFv8yrX0C3ckxTC3aahSqGISieunlBb1TypdygqAtt0/Ro P+40LplhT17U+bvFU1HYacq2m4lswYUosaPKRcQEh5lqcP0DXCMPX3kBk0C8Wlw1 g5aJMha/21YDZysITzJzppGiBtqSIsdKH8yIhgOf1yR5U/oMR4UMFMDqZI1cLf4X vPDROT3f+SNLfmPglXMlGbYvXI2fauel1sHbdjttUNdbneAVJwDS5Szc36uj2Cpq 7SophzD37FbroBfa/Ylxs5yI+p88gQjOHS96ebqNElNtosiidrwK6ysn8qVtgbGb v4oZeWqahrwkDRBibWAIGJjiNiO0/pB2hLSuxuuBG1JapTOeawZ8WwJLTZ9iiX71 ThI7L7t7iBEIB1I1dpq8KrIUP/dJc6H0ekFlW6Q87cZcvWTyRB45gibNC2tRNxwz 7x2Pm7MU0eB7fihKNJuMmYUY0N+QUlqetMEkwEFbmMrIL4Wn6MGTAYgRu3Y5OqE1 Ctlil/SCEgZHpXEXU86xTTEQVB0gei0k4KbXlld0vuF9dzAxGA/AuwnjygihAigL PNlbNHhfFmYn+UGMoP2+J3CKYJc9Eu/xZfhrQebEJ80GWK3NPZTEoEu/iz70B/Pf LqSeENgMi6hQZYDn8xpLSzKm1S4XzmwNb2pW3pfUaeqMclAZylk= =HIre -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
