tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: How to enable secured JSP to be cached by browser?
Date Fri, 14 Feb 2003 07:13:10 GMT
It's been in there for quite some time, but I haven't had time to update the
docs :(.

You need to configure the Authenticator explictly with something like:
<Context ......>
  <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
              disableProxyCaching="false" />

With the 'disableProxyCaching' attribute set to 'false', the Authenticator
won't add the additional headers to disable client-side (or proxy) caching.
In this case you are on your own, since Tomcat will assume that you know
what you are doing.

"Szwajkajzer Adam" <> wrote in message
Hi all.
I'm using Tomcat 4.1.18 (in boundle with JBoss 3.0.5).
My application is configured to use declarative security (FORM based).
Here my problems start.
Each HTTP respons for secured JSP page gets amend by Tomcat.
Additional header Pragma, Cache-Control and Expires entries are inserted
to prevent the page to be locally cached.
I've found on that list it is performed by AuthenticatorBase class and was
to prevent security vulnerability.

The problem is with form pages in following scenario:
User inserts data, submits form, server returns an application error.
User returns to form page but it is reread from server and of course it's
(User gets angry while retyping all form data;)

Since the application is only used in intranet it would be acceptable to
locally cache
secured JSP pages.
So, is it possible to switch off  no-cache/expires feature in Tomcat 4.1.18?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message