Hi,
On Apache Tomcat 10.1.42 with configured SSL Connector
web application with Spring, Spring Security
returns the configured Default Spring Security Cache Control HTTP Response
Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
But when I add to tomcat\conf\web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The response contains:
Cache-Control: private
This occurs for HTTP GET requests.
Is this Tomcat 10 related behavior ?
As same app on Tomcat 9 with same security-contraint return the correct Headers.
Tech:
x64 Windows 11 Pro (10.0.26100)
Apache Tomcat 10.1.42
Java 21
