RE: Tomcat, SSL, IE, and .pdf downloads
I think that I'll be leaving the moral decisions to my network admins. They can decide what they feel is the right answer with regard to network security. But it's good to know that there is a way to fix the problem. Thanks again to everyone for all the input! -Mary Beth -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:24 PM To: Tomcat Users List Subject: Re: Tomcat, SSL, IE, and .pdf downloads Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat, SSL, IE, and .pdf downloads
Another newbie question -- how do I tell which authenticator we're using? Does tomcat use a default one? I was looking at the API, but there isn't enough explanation there. And I didn't see anything in the Tomcat doco. Thanks, -Mary Beth -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:24 PM To: Tomcat Users List Subject: Re: Tomcat, SSL, IE, and .pdf downloads Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat, SSL, IE, and .pdf downloads
Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
