You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jan Vávra <va...@602.cz> on 2013/07/16 09:55:25 UTC

Re: Form Authentication and Cache-Control

Hi.
  I've solved my problem. The correct attitude is to have all contexts 
unauthenticated and only few restrict. In my case restricted urls are 
/index.jsp, /admin/*, /user/*

In the original web.xml I had all contexts restricted and static context 
/common/* was masked out. Although the /common/* was not under 
authetication, Tomcat was adding the Cache-Control: private, Expires: 
1.1.1970 headers.
So I personally think this is a bug.

Thanks to Christopher Schultz who gave me a clue.

Jan.



> ===========
> My aps has these part
> /*          - common authenticated content
> /user/* - content for user
> /admin/* - content for admin
> /common/* - common unauthenticated static content like images, css, etc
>
> My web.xml
>
> <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>MyApp</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>myapp-admin-role</role-name>
>       <role-name>myapp-user-role</role-name>
>     </auth-constraint>
>   </security-constraint>
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>MyApp</web-resource-name>
>       <url-pattern>/admin/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>myapp-admin-role</role-name>
>     </auth-constraint>
>   </security-constraint>
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>MyApp</web-resource-name>
>       <url-pattern>/user/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>myapp-user-role</role-name>
>     </auth-constraint>
>   </security-constraint>
>
>   <!-- do not authenticate common -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>MyApp</web-resource-name>
>       <url-pattern>/common/*</url-pattern>
>     </web-resource-collection>
>   </security-constraint>
>
>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>       <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/login_failed.jsp</form-error-page>
>     </form-login-config>
>   </login-config>
>
>   <security-role>
>      <role-name>myapp-admin-role</role-name>
>    </security-role>
>    <security-role>
>      <role-name>myapp-user-role</role-name>
>   </security-role>
>
>
> Jan.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form Authentication and Cache-Control

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jan,

On 7/16/13 3:55 AM, Jan Vávra wrote:
> I've solved my problem. The correct attitude is to have all
> contexts unauthenticated and only few restrict. In my case
> restricted urls are /index.jsp, /admin/*, /user/*
> 
> In the original web.xml I had all contexts restricted and static
> context /common/* was masked out. Although the /common/* was not
> under authetication, Tomcat was adding the Cache-Control: private,
> Expires: 1.1.1970 headers. So I personally think this is a bug.

No, you told Tomcat that the entire site was under a security
constraint. The fact that you didn't have any required roles was
irrelevant. The cache-control headers are added for
security-constrained resources.

Tomcat is behaving properly.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR5XjZAAoJEBzwKT+lPKRYGt4QALeNapyXezWDsn0jEl7Oyd1S
a9mA89Ovc13nQiZF/ys/dmX4U9MsbzbBBArPmQaWzbdqZjcp2WlhUVgCmfA7mD33
8wAgE5M56R8uXm7NA2tDdrLX3jAYHrbG2TRO0x7rQZQIkNC9tEiAl1xCyDdiYehm
i3X3oH9ujluf7f/ducgTkr0NpYBL0SNjoi5DmBVws7ke5tbkLrY+zvPfwd/h9q5J
WenOI1MKJh7OHw6MVToe346f6ERdT85fc4UG4kaKEwq0cwak4JXyLr+PG9dsoMUQ
SoWS05adtYNZHRCfSTDdrmuv5CPch5/oP6AEQI3Y338+zsDo13aS/N2FRwFNygUB
kwzvP7HIEetT4VjpHSg21X9x0c6lqHlpHkQQjj9ZW6FY+af4Io/J0joihVMWTpfe
2zYpu5ZCRxPPd0j39YS2vc+9aV7eRmxEjpSIGbJbKqEQolTk3fN8Wqcug3pcKkNL
rcXx2d0c28obqIY5SkiLn676NAzXXTa5g5zXVt/08tBcouLv/dXfILwKe7Gg9cWn
jGe46l4XrGzvXugNemLv6eBKDZ5HGIfCeHzmO47E2X2UOY/+xUVqAh7npMcMWrUg
inZcOmtqKcALJcLI276R0d2z2qJnE4Wv//NlfdZBLVZZWhV8GDCQ0nKLaSF6FSET
QwDfaEHUXJKIa1onK7Yy
=OXjQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org