tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: [PROPOSAL] Add Post to the clear list for protected pages
Date Thu, 17 Jul 2003 04:15:32 GMT

----- Original Message -----
From: "Costin Manolache" <>
To: <>
Sent: Wednesday, July 16, 2003 8:38 PM
Subject: Re: [PROPOSAL] Add Post to the clear list for protected pages

> Bill Barker wrote:
> > At the moment (with the default settings), Tomcat 4.1.x and higher add
> > HTTP headers to non-SSL protected pages to prevent intermediate proxies
> > from
> > caching them.  According to the HTTP/1.1 RFC (and even the HTTP/1.0
> > POSTed pages are not allowed to be cached by proxies (for the obvious
> > reasons).  I'd like to add request.getMethod().equals("POST") to the
> > of conditions to *not* add the headers.
> Not sure I understand :-)
> The RFC requires that proxies don't cache POST requests. Are you saying
> we should *not* include the headers, because proxies will not cache anyway
> Or to add the headers ? And what does it has to do with SSL ?

I'm saying to *not* include the headers, because any compliant proxy will
not cache anyway.  At the moment, SSL connections do not set the headers
(since they also can't be cached), and that is the only current exception.

At the moment, hitting the "back" button in the browser to a protected
POSTed page forces you to re-post to view the page.  This is generally
a-bad-thing, since it results in you getting two copies of Madonna's CD (and
charged twice ;-).

> ( I'm +0 any way )
> Costin
> > I'm happy if I can do this in 5.x, and ecstatic if I can back-port it to
> > 4.1.x (since it almost removes my need to configure the Authenticator).
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message