tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <va...@602.cz>
Subject Form Authentication and Cache-Control
Date Wed, 26 Jun 2013 11:36:18 GMT
Hello,
   If I use auth-method FORM, all requests return with headers denying 
caching on the browser side although I have excluded some part of my app 
from authentication.

The headers for a png image are:

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 UTC
ETag: W/"3907-1372233712661"
Date: Wed, 26 Jun 2013 11:06:17 GMT

If I add disableProxyCaching="false" to <Valve 
className="org.apache.catalina.authenticator.FormAuthenticator" 
characterEncoding="utf-8"/> at my context.xml the response headers 
change to:

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
ETag: W/"3907-1372233712661"
Date: Wed, 26 Jun 2013 11:25:23 GMT
and browser in the next request doesn't asks for this image.

Is it safe to override default bahaviour via disableProxyCaching?
Or I am something missing?
Or there is a best practice to place images, css styles into another 
application?


===========
My aps has these part
/*          - common authenticated content
/user/* - content for user
/admin/* - content for admin
/common/* - common unauthenticated static content like images, css, etc

My web.xml

<security-constraint>
     <web-resource-collection>
       <web-resource-name>MyApp</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>myapp-admin-role</role-name>
       <role-name>myapp-user-role</role-name>
     </auth-constraint>
   </security-constraint>

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>MyApp</web-resource-name>
       <url-pattern>/admin/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>myapp-admin-role</role-name>
     </auth-constraint>
   </security-constraint>

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>MyApp</web-resource-name>
       <url-pattern>/user/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>myapp-user-role</role-name>
     </auth-constraint>
   </security-constraint>

   <!-- do not authenticate common -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>MyApp</web-resource-name>
       <url-pattern>/common/*</url-pattern>
     </web-resource-collection>
   </security-constraint>


   <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
     </form-login-config>
   </login-config>

   <security-role>
      <role-name>myapp-admin-role</role-name>
    </security-role>
    <security-role>
      <role-name>myapp-user-role</role-name>
   </security-role>


Jan.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message