Hi,
my initial observations suggest, and SO post [1] seems to confirm, that when
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
is specified on a security-constraint in web.xml, Tomcat does two things:
1. automatically redirects to HTTPS
2. appends Cache-Control: private and Expires: Thu, 01 Jan 1970
01:00:00 CET response headers
Is that correct?
I had added the CONFIDENTIAL because I want the redirect to HTTPS.
What I don't want is Tomcat overriding my caching headers and
effectively disabling browser caching.
Why in the world would those two things be conflated? And how do I
disable this header override behavior?
Does disableProxyCaching attribute need to be set to false to in order
to do that? [2]
I'm running the tomcat:8.0-jre8 on Docker.
[1]
https://stackoverflow.com/questions/21829553/tomcat-security-constraint-impact-cache
[2]
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Basic_Authenticator_Valve/Attributes
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
