Spring Security - No way to avoid cache-control

Question

I have an application and use a controller mapping of spring to load images to my users. (InputStream, response, etc).

In my controller I set headers to cache-control, baseaded on files, etc. But there's always pragma: no-cache and Cache-Control:"max-age=0" inside all requests, and that's replace my response settings.

I was trying everything to solve this, but nothing works.

I already read all page and try everything I found about that: http://docs.spring.io/autorepo/docs/spring-security/3.2.0.CI-SNAPSHOT/reference/html/headers.html

My spring security.xml has:

    <security:headers disabled="true"/>

Anyone have a good idea to solve this?

Remember that to load the images I need to load through my controller, I never call static directly.

Answer 1

The Cache-Control headers can be controlled on a per action basis by overriding them in the HttpServletResponse:

@RequestMapping(value = "/foo", method = RequestMethod.GET)
public String someAction(HttpServletResponse response) {
    response.setHeader("Cache-Control", "no-transform, public, max-age=86400");

    // ...
}

No need to fiddle with the Spring Security configuration.

See http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-cache-control.