On 03/07/2025 11:18, Rolandas Karosas | Edrana Baltic wrote:
Hi,

On Apache Tomcat 10.1.42 with configured SSL Connector
web application with Spring, Spring Security
returns the configured Default Spring Security Cache Control HTTP Response 
Headers

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

But when I add to tomcat\conf\web.xml
               <security-constraint>
            <web-resource-collection>
                  <web-resource-name>securedapp</web-resource-name>
                  <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>

The response contains:

Cache-Control: private

This occurs for HTTP GET requests.

Is this Tomcat 10 related behavior ?

As same app on Tomcat 9 with same security-contraint return the correct Headers.

Different value for securePagesWithPragma on the authenticator for the two system being tested?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to