tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34083] New: - disableProxyCaching behaviour of authenticator causes problems
Date Sat, 19 Mar 2005 08:34:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34083>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34083

           Summary: disableProxyCaching behaviour of authenticator causes
                    problems
           Product: Tomcat 5
           Version: 5.5.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: mimo@proinet.pl


In my opinion this code enabled by default is a little bit too much. First - 
if it's to protect security it should use just Cache-control: private. 
That's what "private" is designed for. However this form adds numerous problems
for first-time Tomcat users. It is not well documented feature, and is enabled
by default. It's incompatible with regular webserver behaviour. It's a bad
programming design. It's not authenticator's responsibility to deal with
caching. Authenticator should just deal with authentication. Authenticator
should be fully transparent to other layers.

Results are:

* extensive server load - in our case javascript code put on a page caused the
page being refreshed in every rollover element resulting in bad user experience,

* problems with opening dynamically generated files - for both Mozilla and IE
this notion makes problems - the file is already expired when downloaded to the
user, which results in problems hard to debug, usually such a file will appear
empty in mozilla, and IE will just say it can't open it


        // Make sure that constrained resources are not cached by web proxies
        // or browsers as caching can provide a security hole
        if (disableProxyCaching && 
            // FIXME: Disabled for Mozilla FORM support over SSL 
            // (improper caching issue)
            //!request.isSecure() &&
            !"POST".equalsIgnoreCase(request.getMethod())) {
            response.setHeader("Pragma", "No-cache");
            response.setHeader("Cache-Control", "no-cache");
            response.setHeader("Expires", DATE_ONE);
        }

I would replace this code with just:

        // or browsers as caching can provide a security hole
        if (disableProxyCaching && 
            // FIXME: Disabled for Mozilla FORM support over SSL 
            // (improper caching issue)
            //!request.isSecure() &&
            !"POST".equalsIgnoreCase(request.getMethod())) {
            response.setHeader("Cache-Control", "private");
        }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message