hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Moore (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HTTPCLIENT-962) client cache may be a shared cache but is caching responses to requests with Authorization headers
Date Wed, 30 Jun 2010 20:05:50 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jonathan Moore updated HTTPCLIENT-962:
--------------------------------------

    Attachment: authorized-responses-2.patch

Ok, this patch does the work to allow caching of authorized responses that have s-maxage,
must-revalidate, or public parameters in their Cache-Control headers. If the CachingHttpClient
is a shared cache, this is the best we can do for this.

Still open: allowing the CachingHttpClient to be configured as a non-shared cache.

This patch is contributed to the ASF with the permission of my employer.


> client cache may be a shared cache but is caching responses to requests with Authorization
headers
> --------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-962
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-962
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: Cache
>    Affects Versions: 4.1 Alpha2
>            Reporter: Jonathan Moore
>         Attachments: authorized-responses-2.patch, authorized-responses.patch
>
>
> "      When a shared cache (see section 13.7) receives a request
>       containing an Authorization field, it MUST NOT return the
>       corresponding response as a reply to any other request, unless one
>       of the following specific exceptions holds:
>       1. If the response includes the "s-maxage" cache-control
>          directive, the cache MAY use that response in replying to a
>          subsequent request. But (if the specified maximum age has
>          passed) a proxy cache MUST first revalidate it with the origin
>          server, using the request-headers from the new request to allow
>          the origin server to authenticate the new request. (This is the
>          defined behavior for s-maxage.) If the response includes "s-
>          maxage=0", the proxy MUST always revalidate it before re-using
>          it.
>       2. If the response includes the "must-revalidate" cache-control
>          directive, the cache MAY use that response in replying to a
>          subsequent request. But if the response is stale, all caches
>          MUST first revalidate it with the origin server, using the
>          request-headers from the new request to allow the origin server
>          to authenticate the new request.
>       3. If the response includes the "public" cache-control directive,
>          it MAY be returned in reply to any subsequent request."
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8
> It isn't clear whether the CachingHttpClient is a shared cache or not (it depends on
where it gets used), so the conservative compliant behavior is to assume we are a shared cache.
The current implementation is caching responses regardless of whether the original requests
had Authorization headers or not.
> Patch and discussion forthcoming.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message