Menu
I have a problem in caching my application.
when this code is added to web.xml of tomcat :
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I get this response :
Cache-Control private
Date Tue, 18 Feb 2014 01:18:17 GMT
Etag W/"200-1391558564593"
Expires Thu, 01 Jan 1970 00:00:00 WET
Server Apache-Coyote/1.1
Without this code everything is fine :
Accept-Ranges bytes
Cache-Control max-age=604800
Content-Length 1496
Content-Type text/css
Date Tue, 18 Feb 2014 01:21:26 GMT
Etag W/"1496-1391558561359"
Expires Tue, 25 Feb 2014 01:21:27 GMT
Last-Modified Wed, 05 Feb 2014 00:02:41 GMT
Server Apache-Coyote/1.1
Anyone can tell what cause the problem? and why this code change the cache-controle to private of my application. thanks a lot
Tomcat 7.0
JDK : 1.6
492
Whatever configuration you use, simply make sure that you are aware of the associated risks. Poorly secured web applications represent the single greatest security risk for Apache Tomcat.
As Tomcat is an active open source project, the easiest way to improve the security of your instance is to keep your version up to date and keep up with the Tomcat mailing lists. New bug fixes and security patches are added in every release, and new issues that may apply to your infrastructure are discussed on the Tomcat mailing lists.
Tomcat is tested with the security manager enabled; but the majority of Tomcat users do not run with a security manager, so Tomcat is not as well user-tested in this configuration. There have been, and continue to be, bugs reported that are triggered by running under a security manager.
Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat's CMA.
According to the Oracle Java EE 6 tutorial, specifying a user-data-constraint of "CONFIDENTIAL" is to be used
when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
For HTTP responses, that would mean ensuring that no proxies/caches along the way, from the server back to the client, would be able to cache that response and provide to any other requesting client. Thus the use of:
Cache-Control: private
While you might be tempted to use "INTEGRAL" instead of "CONFIDENTIAL", the same tutorial points out that many Java EE servers treat these two values identically.
If your application needs to allow caching, I suspect that you would need to remove the <user-data-constraint> element from your web.xml file.
Hope this helps!
162
So I'm wondering how should I configure tomcat application to have automatic SSL redirect, but with preserved caching of static resources? I mean the application going completely through SSL, along with with static resources that should be cached.
It seems that after setting <url-pattern>/*</url-pattern> or even <url-pattern>/</url-pattern> I cannot declare different url-pattern with transport-guarantee NONE. Everything started from my root URL has now Cache-Control: private anyway.
But I found the solution, working at least in Tomcat 7.0.55. These headers are fortunately set before the whole request is processed, so you can catch them on very first application filter. When you will reset the response here, you can setup your own headers and overwrite existing:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
response.reset();
chain.doFilter(request, response);
}
Then you can configure for example tomcat ExpiresFilter as the second filter, and here you can configure your own caching setup.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
