DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2005-01-05 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=6709





--- Additional Comments From [EMAIL PROTECTED]  2003-10-05 18:20 ---
*** Bug 7715 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2003-03-27 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2003-03-27 17:13 ---
Please help. Does anyone know how to set the flag named disableProxyCaching in 
the Authenticator object?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2003-03-27 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2003-03-27 18:28 ---
Assuming that you are using Form authentication,

Context ...
  Valve className=org.apache.catalina.authenticator.FormAuthenticator
 disableProxyCaching=true ... /
  ...
/Context

For other types of authentication, replace FormAuthenticator with the correct 
class.

Note that this option doesn't play well with the admin webapp.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2003-03-26 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2003-03-26 18:33 ---
There is a flag named disableProxyCaching in AuthenticatorBase.java which when 
set to false prevents the default behavior of adding no-cache response headers 
to all constrained resources which are not protected by SSL.

The question is: How can I set this flag?

PS: It seems to me that the default behavior should apply ONLY to resources 
that are subject to a security-constraint that specifies an auth-constraint. 
You could then explicitly specify public resources (i.e., list them in a 
security-constraint that has no auth-constraint) without preventing browsers 
and web proxies from caching them. This practice of using a security-constraint 
for every resource provides a clearer picture of your security model and allows 
you to use a catchall no-access constraint for the /* URL pattern.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-05-07 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header

[EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||[EMAIL PROTECTED]



--- Additional Comments From [EMAIL PROTECTED]  2002-05-07 10:01 ---
*** Bug 8773 has been marked as a duplicate of this bug. ***

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-04-25 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-04-25 17:21 ---
This default no-cache on secured resources has significant effects on the .ram 
files used by RealPlayer. These files must be cached when the browser passes 
control to RealPlayer, which then uses the cached file. I assume this kind of 
hand-off is similar with other (all?) external programs called by the browser. 
Netscape and Opera ignore the no-cache headers for the .ram files, but IE does 
not and RealPlayer cannot find the .ram file via IE.

To work around this, I had to create a servlet filter mapped to *.ram that sets 
the Cache-Control to private via response.setHeader(Cache-Control,private). 
This one setting proved sufficient for the .ram file info to pass to 
RealPlayer via the cached file.

Preventing caching and protecting web resources in the container should work 
together, but I question the assumption that the no-cache headers should be a 
mandatory part of the container's security responsibility. In other words, this 
assumes the container's job necessarily includes trying to manage how clients 
(and proxies) treat its resources once outside the container.

I would like to see this no-cache feature be optional. It is an important thing 
to be able to set, but there needs to be more control over its exact settings, 
and to what resources the settings should be applied. 

It could be great if this were fully configurable in Tomcat and the no-cache 
resource mappings could be described in the server.xml (or web.xml if it were 
added to the web app spec). Otherwise, servlet filters are a good way to 
implement this.

Thanks
J F

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-04-06 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header

[EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||[EMAIL PROTECTED]



--- Additional Comments From [EMAIL PROTECTED]  2002-04-06 11:52 ---
*** Bug 7715 has been marked as a duplicate of this bug. ***

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-03-05 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-03-05 10:20 ---
I also need it I think that a cache configuration parameters on the server
should be the better approach

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-03-04 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-03-04 23:28 ---
It is a problem for the container to assume that all constrained urls should 
not be cached by the browser since users sometimes want this behavior in IE. 
The configurable cache-control option planned by Remy should resolve the issue 
by allowing users to disable the cache-control header. I was able to get around 
the problem for now by overwriting the header values in the beginning of my 
servlet service method since the container has already set the headers before 
the service method is called. Add the following lines to the beginning of your 
servlet service method to reenable the browser caching.
response.setHeader(Pragma, );
response.setHeader(Cache-Control, );

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-03-04 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-03-04 23:54 ---
Regarding Jonathan Pierce's comments. That's what I tried as well. Only, I 
think you also have to set the expires header as well. That worked for 
Netscape 6 and Internet Explorer 6, but, not for Netscape 4. i.e. with 
Netscape 4, if there is an expires header, even if it's blank, it expires the 
page.

Currently, I'm no longer having the problem though (I'm using the 2002-02-28 
nightly build). I think Remy put some conditional code in 
AuthenticatorBase.java so that it only sets those headers if you're not using 
SSL. i.e. if isSecure() is false. In my case, I am using SSL. So, I'm OK now. 
Thanks Remy.

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-03-04 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-03-05 00:08 ---
I'm using 4.0.4-b1 with SSL and IE browser and I still have the problem unless 
I add the modification to my servlet that I suggested above. In my case 
(isSecure is true since I am using the iisapi connector through an SSL 
connection. I still need the promised configuration option for cache-control to 
be added.

Jonathan

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-02-27 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header

[EMAIL PROTECTED] changed:

   What|Removed |Added

   Severity|Normal  |Enhancement
  Component|HTTP/1.1 Connector  |Catalina
   Priority|Other   |Low



--- Additional Comments From [EMAIL PROTECTED]  2002-02-27 17:09 ---
There are some pictures / binary document inside the protected area which could
be confidential (and there's no way to know which are and which aren't). If we
don't set the cache control, those documents could be cached by intermediate
proxies.
I'll add a flag on the authenticator to allow disabling the cache-control (will
default to no-cache, of course).

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-02-27 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header

[EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||[EMAIL PROTECTED]



--- Additional Comments From [EMAIL PROTECTED]  2002-02-27 18:09 ---
*** Bug 6732 has been marked as a duplicate of this bug. ***

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-02-27 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-02-27 18:21 ---
I believe that there is a very simple way to enable caching of your image files 
without disabling security on the pages that link to those images. This same 
issue came up when we were implmenting the Tomcat admin webapp in the HEAD 
branch. Basically, we left image files out of the security constraint using the 
following entries in the webapp's web.xml:

  security-constraint
display-nameTomcat Server Configuration Security Constraint/display-name
web-resource-collection
  web-resource-nameProtected Area/web-resource-name
  !-- Define the context-relative URL(s) to be protected --
  url-pattern*.jsp/url-pattern
  url-pattern*.do/url-pattern
  url-pattern*.html/url-pattern
/web-resource-collection
.
.
.
  /security-contstraint

In the above, all of the webapps jsp and html pages as well as all Struts actions 
are protected by the security constraint (and therefore have no-cache set). 
Whereas, all of the webapps image files are not protected by the security 
constraint (and therefore are cached).

Hope that helps,

Patrick

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-02-27 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-02-27 21:11 ---
The solution to this bug should in my opinion allow a developer to override 
the caching settings that are specified by default by the server for resources 
that are protected by a security-constraint. You should be able to do this 
using one of Tomcat's settings files.

Allowing local caching of content that is served over SSL is a valid thing to 
do.

Why is it that Tomcat's behavior is different than Apache HTTP Server with 
SSL? Apache HTTP Server with SSL does not add any cache control headers for 
content served over SSL.

I don't have an issue with the fact that by default caching is turned off. I 
think that it is a good thing, if it helps improve security. However, not 
having a way to change the setting is a design flaw/bug.

I also would still like to know why the expires header is being set. As far 
as I know you shouldn't have to set this header in order to turn off caching.

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header

2002-02-27 Thread bugzilla

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709

Images on protected areas have not Last modified header





--- Additional Comments From [EMAIL PROTECTED]  2002-02-27 21:22 ---
I can comment on the expires header. This is for IE browsers. Some versions of 
IE like to cache content (which gets cached on the local file system) regardless 
of the values set for the pragma and cache-control headers. The use of the 
expires header is a common hack to work around this.

As for disabling the no-caching behavior for SSL, I see no problem with that as 
long as the org.apache.catalina.net.SSLServerSocketFactory's clientAuth attribute 
in server.xml is set to false (the common case).

The forcing of the no-caching behavior for SSL was an inadvertant effect of my 
implementation of the no-caching behavior. My intent was to only force this 
behavior when you are authenticating the ID of the user access a URI. My feeling 
is that if you allow anyone to access a URI but you are using SSL to protect the 
stream from eavesdropping by others, then caching should be OK.

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]