tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis van den Berg" <>
Subject RE: Invalid no-cache http headers
Date Thu, 27 Feb 2003 08:42:00 GMT

Your solution should work fine.
However, I consider this is a bug, and therefore I wondered if other people agree with me
on this point.
I used a simple Filter to work around the Tomcat bug;

 * <p>Title: </p>
 * <p>Description: Reset cache-control headers set by Tomcat.
 * These headers are set by newer Tomcat versions in the case
 * the request is for a protected URL. We consider this a bug
 * in Tomcat. If we do not reset these headers nothing will be
 * cached, so the back-button will not work properly, and also
 * in the 'open/save'-dialog, open will not work.</p>
 * @author Dennis van den Berg
 * @version 1.0
public class CacheControlFilter implements Filter {

  FilterConfig filterConfig = null;

  public void init(FilterConfig filterConfig) throws ServletException {
    this.filterConfig = filterConfig;

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
    /** reset headers set by new Tomcat Connector to enable caching
    HttpServletResponse httpResponse = (HttpServletResponse)response;
    chain.doFilter(request, response);

  public void destroy() {
    filterConfig = null;


Thanks for any replies,


-----Original Message-----
From: Szwajkajzer Adam []
Sent: donderdag 27 februari 2003 8:30
To: Dennis van den Berg
Subject: RE: Invalid no-cache http headers

I've found in previouse discussions that "no-cache" feature was added on purpose to "avoid
possible security problems".
I was told to use JBeans to maintain on server site JSP state.
There is no way to switch the feature of.

For my current project (intranet application) I just removed setHeader instructions from AuthenticatiorBase,
recompiled and had a prevoius behaviour.

Hope it helps.

Adam Szwajkajzer

> -----Original Message-----
> From: Dennis van den Berg []
> Sent: Wednesday, February 26, 2003 4:30 PM
> To:
> Subject: Invalid no-cache http headers
> Hi all,
> I encountered problems with the newer Tomcat 4 versions.
> There are caching-headers set on the response, in case of 
> URL's with security constraints, which are not set in older 
> Tomcat 4 versions versions. 
> This results in 2 things;
> - The user is not able to use the back-button anymore (This 
> page has expired, in IE6 anyway)
> - When you send a file as an attachement to the browser the 
> user gets an open/save dialog.
>   When the user presses open, the file is first put into the 
> cache and then opened (by IE6 anyway)
>   So this results in an 'file not found' message, because 
> caching is disabled.
> In the following method in 
> org.apache.catalina.authenticator.AuthenticatorBase:
>     public void invoke(Request request, Response response,
>                        ValveContext context)
>         throws IOException, ServletException {
> I found the following code-fragment:
>         // Make sure that constrained resources are not 
> cached by web proxies
>         // or browsers as caching can provide a security hole
>         if (disableProxyCaching && 
>             !(((HttpServletRequest) 
> hrequest.getRequest()).isSecure())) {
>             HttpServletResponse sresponse = 
>                 (HttpServletResponse) response.getResponse();
>             sresponse.setHeader("Pragma", "No-cache");
>             sresponse.setHeader("Cache-Control", "no-cache");
>             sresponse.setDateHeader("Expires", 1);
>         }
> I think this piece of code is the source of the problem.
> When I read the specs for HTTP, I think I can conclude there 
> are more applicable values for the "Cache-Control" header in 
> this case. For example "private" or "no-store".
> Did anyone else encounter any problems of this kind, or did I 
> overlook something?
> Thanks for any replies,
> Dennis
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message