DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=6709 --- Additional Comments From [EMAIL PROTECTED] 2003-10-05 18:20 --- *** Bug 7715 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2003-03-27 17:13 --- Please help. Does anyone know how to set the flag named disableProxyCaching in the Authenticator object? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2003-03-27 18:28 --- Assuming that you are using Form authentication, Context ... Valve className=org.apache.catalina.authenticator.FormAuthenticator disableProxyCaching=true ... / ... /Context For other types of authentication, replace FormAuthenticator with the correct class. Note that this option doesn't play well with the admin webapp. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2003-03-26 18:33 --- There is a flag named disableProxyCaching in AuthenticatorBase.java which when set to false prevents the default behavior of adding no-cache response headers to all constrained resources which are not protected by SSL. The question is: How can I set this flag? PS: It seems to me that the default behavior should apply ONLY to resources that are subject to a security-constraint that specifies an auth-constraint. You could then explicitly specify public resources (i.e., list them in a security-constraint that has no auth-constraint) without preventing browsers and web proxies from caching them. This practice of using a security-constraint for every resource provides a clearer picture of your security model and allows you to use a catchall no-access constraint for the /* URL pattern. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2002-05-07 10:01 --- *** Bug 8773 has been marked as a duplicate of this bug. *** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-04-25 17:21 --- This default no-cache on secured resources has significant effects on the .ram files used by RealPlayer. These files must be cached when the browser passes control to RealPlayer, which then uses the cached file. I assume this kind of hand-off is similar with other (all?) external programs called by the browser. Netscape and Opera ignore the no-cache headers for the .ram files, but IE does not and RealPlayer cannot find the .ram file via IE. To work around this, I had to create a servlet filter mapped to *.ram that sets the Cache-Control to private via response.setHeader(Cache-Control,private). This one setting proved sufficient for the .ram file info to pass to RealPlayer via the cached file. Preventing caching and protecting web resources in the container should work together, but I question the assumption that the no-cache headers should be a mandatory part of the container's security responsibility. In other words, this assumes the container's job necessarily includes trying to manage how clients (and proxies) treat its resources once outside the container. I would like to see this no-cache feature be optional. It is an important thing to be able to set, but there needs to be more control over its exact settings, and to what resources the settings should be applied. It could be great if this were fully configurable in Tomcat and the no-cache resource mappings could be described in the server.xml (or web.xml if it were added to the web app spec). Otherwise, servlet filters are a good way to implement this. Thanks J F -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2002-04-06 11:52 --- *** Bug 7715 has been marked as a duplicate of this bug. *** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-03-05 10:20 --- I also need it I think that a cache configuration parameters on the server should be the better approach -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-03-04 23:28 --- It is a problem for the container to assume that all constrained urls should not be cached by the browser since users sometimes want this behavior in IE. The configurable cache-control option planned by Remy should resolve the issue by allowing users to disable the cache-control header. I was able to get around the problem for now by overwriting the header values in the beginning of my servlet service method since the container has already set the headers before the service method is called. Add the following lines to the beginning of your servlet service method to reenable the browser caching. response.setHeader(Pragma, ); response.setHeader(Cache-Control, ); -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-03-04 23:54 --- Regarding Jonathan Pierce's comments. That's what I tried as well. Only, I think you also have to set the expires header as well. That worked for Netscape 6 and Internet Explorer 6, but, not for Netscape 4. i.e. with Netscape 4, if there is an expires header, even if it's blank, it expires the page. Currently, I'm no longer having the problem though (I'm using the 2002-02-28 nightly build). I think Remy put some conditional code in AuthenticatorBase.java so that it only sets those headers if you're not using SSL. i.e. if isSecure() is false. In my case, I am using SSL. So, I'm OK now. Thanks Remy. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-03-05 00:08 --- I'm using 4.0.4-b1 with SSL and IE browser and I still have the problem unless I add the modification to my servlet that I suggested above. In my case (isSecure is true since I am using the iisapi connector through an SSL connection. I still need the promised configuration option for cache-control to be added. Jonathan -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header [EMAIL PROTECTED] changed: What|Removed |Added Severity|Normal |Enhancement Component|HTTP/1.1 Connector |Catalina Priority|Other |Low --- Additional Comments From [EMAIL PROTECTED] 2002-02-27 17:09 --- There are some pictures / binary document inside the protected area which could be confidential (and there's no way to know which are and which aren't). If we don't set the cache control, those documents could be cached by intermediate proxies. I'll add a flag on the authenticator to allow disabling the cache-control (will default to no-cache, of course). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2002-02-27 18:09 --- *** Bug 6732 has been marked as a duplicate of this bug. *** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-02-27 18:21 --- I believe that there is a very simple way to enable caching of your image files without disabling security on the pages that link to those images. This same issue came up when we were implmenting the Tomcat admin webapp in the HEAD branch. Basically, we left image files out of the security constraint using the following entries in the webapp's web.xml: security-constraint display-nameTomcat Server Configuration Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern*.jsp/url-pattern url-pattern*.do/url-pattern url-pattern*.html/url-pattern /web-resource-collection . . . /security-contstraint In the above, all of the webapps jsp and html pages as well as all Struts actions are protected by the security constraint (and therefore have no-cache set). Whereas, all of the webapps image files are not protected by the security constraint (and therefore are cached). Hope that helps, Patrick -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-02-27 21:11 --- The solution to this bug should in my opinion allow a developer to override the caching settings that are specified by default by the server for resources that are protected by a security-constraint. You should be able to do this using one of Tomcat's settings files. Allowing local caching of content that is served over SSL is a valid thing to do. Why is it that Tomcat's behavior is different than Apache HTTP Server with SSL? Apache HTTP Server with SSL does not add any cache control headers for content served over SSL. I don't have an issue with the fact that by default caching is turned off. I think that it is a good thing, if it helps improve security. However, not having a way to change the setting is a design flaw/bug. I also would still like to know why the expires header is being set. As far as I know you shouldn't have to set this header in order to turn off caching. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 6709] - Images on protected areas have not Last modified header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6709 Images on protected areas have not Last modified header --- Additional Comments From [EMAIL PROTECTED] 2002-02-27 21:22 --- I can comment on the expires header. This is for IE browsers. Some versions of IE like to cache content (which gets cached on the local file system) regardless of the values set for the pragma and cache-control headers. The use of the expires header is a common hack to work around this. As for disabling the no-caching behavior for SSL, I see no problem with that as long as the org.apache.catalina.net.SSLServerSocketFactory's clientAuth attribute in server.xml is set to false (the common case). The forcing of the no-caching behavior for SSL was an inadvertant effect of my implementation of the no-caching behavior. My intent was to only force this behavior when you are authenticating the ID of the user access a URI. My feeling is that if you allow anyone to access a URI but you are using SSL to protect the stream from eavesdropping by others, then caching should be OK. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]