Mark Leone <midnightjava <at> cox.net> writes: > > > BTW, switching gears, I should have mentioned the following in my > previous email. I suspect that the IE workaround you described will only > work for SSL connections. Tomcat (and presumably any other good HTTP > server) will set the cache control headers to prevent caching of any > response generated from a protected context (i.e. one in which there is > a <security-constraint> element), whether the connection is made with > HTTPS (i.e., SSL) or HTTP. The IE option you described seems to apply > only to encrypted data, so it probably won't help IE users who are > trying to download files from a protected context via HTTP. >
Correction to my previous post: The work-around apparently is not needed for non-SSL connections. I did a little experiment and found that IE doesn't have a problem with non-SSL responses that include headers with the "no-cache" cache directive. This alleviates the security concern I raised, since Tomcat can be configured to prohibit caching from protected contexts for non-SSL connections, and this behavior only needs to be overriden for SSL connections to satisfy IE, which I guess is not as problematic from a security standpoint. It's still a compatibility issue, IMO, since implementers will regularly encounter the problem with SSL connections and wonder what is going on. Also, Mary Beth, I was unable to duplicate your results with unchecking the "don't allow encrypted data to be cached to disk" option. I commented out the <valve> in server.xml so that IE was not working properly for SSL file downloads. Then I unchecked the aforementioned option in IE, and it did not fix the problem. I'm wondering if you're dealing with a different issue. I'd like to know if you apply the <valve> fix in server.xml, and if it solves your problem. Did you do anything else to make IE work without the <valve> in server.xml? -Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
