Ok, I know I've been doing this for awhile and should probably know better,
but....
Since long ago (4.x?), at the guidance of some long-gone developers, I've been
adding the following to our app_context.xml file for instances where we are
expecting to use SSL protocol for communications. Note we are not using
SSL-Client-Authentication, which is what I've recently discovered this valve
actually implements. I actually use a security-constraint to force the
conversation to the SSL port. So with that background, am I getting any
beneficial side-effects from this, and, if so, is there a better way to get the
same results?
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
securePagesWithPragma="false" />
>From the definition of the parameter, I am at least turning off some
>IE-incompatible headers that control proxy-caching.
FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the
transition to Tomcat 7.0.latest.
Jeff
