Form Authentication and Cache-Control

Wed, 26 Jun 2013 04:37:05 -0700 

Hello,
If I use auth-method FORM, all requests return with headers denying caching on the browser side although I have excluded some part of my app from authentication. 

The headers for a png image are:

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 UTC
ETag: W/"3907-1372233712661"
Date: Wed, 26 Jun 2013 11:06:17 GMT


If I add disableProxyCaching="false" to <Valve 
className="org.apache.catalina.authenticator.FormAuthenticator" 
characterEncoding="utf-8"/> at my context.xml the response headers 
change to:


HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
ETag: W/"3907-1372233712661"
Date: Wed, 26 Jun 2013 11:25:23 GMT
and browser in the next request doesn't asks for this image.

Is it safe to override default bahaviour via disableProxyCaching?
Or I am something missing?

Or there is a best practice to place images, css styles into another 
application?



===========
My aps has these part
/*          - common authenticated content
/user/* - content for user
/admin/* - content for admin
/common/* - common unauthenticated static content like images, css, etc

My web.xml

<security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-admin-role</role-name>
      <role-name>myapp-user-role</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-admin-role</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/user/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myapp-user-role</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- do not authenticate common -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MyApp</web-resource-name>
      <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
  </security-constraint>


  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
     <role-name>myapp-admin-role</role-name>
   </security-role>
   <security-role>
     <role-name>myapp-user-role</role-name>
  </security-role>


Jan.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to