Ok, I know I've been doing this for awhile and should probably know better, but....
Since long ago (4.x?), at the guidance of some long-gone developers, I've been adding the following to our app_context.xml file for instances where we are expecting to use SSL protocol for communications. Note we are not using SSL-Client-Authentication, which is what I've recently discovered this valve actually implements. I actually use a security-constraint to force the conversation to the SSL port. So with that background, am I getting any beneficial side-effects from this, and, if so, is there a better way to get the same results? <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" securePagesWithPragma="false" /> >From the definition of the parameter, I am at least turning off some >IE-incompatible headers that control proxy-caching. FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the transition to Tomcat 7.0.latest. Jeff