[
https://issues.apache.org/jira/browse/HTTPCLIENT-962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Moore updated HTTPCLIENT-962:
--------------------------------------
Attachment: authorized-responses.patch
The attached patch does the bare minimum to bring the implementation into
conditional compliance. Basically:
* added a new method isSharedCache to CachingHttpClient. Currently this is
hardcoded to return true. Eventually it would be good to have this be
configurable on instantiation.
* updated the ResponseCachingPolicy to not cache responses to requests with
Authorization headers
* added a set of protocol compliance tests to TestProtocolRequirements that are
conditional based on whether the cache indicates it is shared or not via
isSharedCache().
Further work probably includes:
* allowing caching of responses that are allowed even for shared caches
(s-maxage, must-revalidate, public).
* allowing caching of all authorized responses by a non-shared cache
This patch is contributed to the ASF with the permission of my employer.
> client cache may be a shared cache but is caching responses to requests with
> Authorization headers
> --------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-962
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-962
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Cache
> Affects Versions: 4.1 Alpha2
> Reporter: Jonathan Moore
> Attachments: authorized-responses.patch
>
>
> " When a shared cache (see section 13.7) receives a request
> containing an Authorization field, it MUST NOT return the
> corresponding response as a reply to any other request, unless one
> of the following specific exceptions holds:
> 1. If the response includes the "s-maxage" cache-control
> directive, the cache MAY use that response in replying to a
> subsequent request. But (if the specified maximum age has
> passed) a proxy cache MUST first revalidate it with the origin
> server, using the request-headers from the new request to allow
> the origin server to authenticate the new request. (This is the
> defined behavior for s-maxage.) If the response includes "s-
> maxage=0", the proxy MUST always revalidate it before re-using
> it.
> 2. If the response includes the "must-revalidate" cache-control
> directive, the cache MAY use that response in replying to a
> subsequent request. But if the response is stale, all caches
> MUST first revalidate it with the origin server, using the
> request-headers from the new request to allow the origin server
> to authenticate the new request.
> 3. If the response includes the "public" cache-control directive,
> it MAY be returned in reply to any subsequent request."
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8
> It isn't clear whether the CachingHttpClient is a shared cache or not (it
> depends on where it gets used), so the conservative compliant behavior is to
> assume we are a shared cache. The current implementation is caching responses
> regardless of whether the original requests had Authorization headers or not.
> Patch and discussion forthcoming.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
