DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34560 ------- Additional Comments From [EMAIL PROTECTED] 2005-12-02 03:05 ------- Let me try to be short and clear with the following summary. Transport constraints (CONFIDENTIAL, NONE) make it https or not. It has nothing to do with auth.constraints (identification of roles). In real life, you can be anonymous over http, anonymous over https, logged in over http, logged in over https. This is the orthogonality I was referring to, in case I wasn't clear. Now, the headers in questions are not about transport nor authentication at all. They are about caching. HOWEVER, caching must not occur in front of aurhenticated ressources, since the authentication must be challenged on every hit from end to end (user-agent to server). Therefore, anti-caching headers must be added only to authenticated ressources, NO MATTER what the transport constraint is. Sorry if I sound irritated, the issue is fairly simple. So is the fix. Without that fix, tomcat will never be able to perform well under https as demonstrated in the same xml above. The reality is horrible: all page components like css, js, gif, jpg, etc... served under https (to avoid mixed security page warnings) are polled every refresh. They may result in 304, but that is already too much since it took a full network round trip for every resource. Please trust me, it is night and day after we hacked in a 're-caching' servletfilter workaround. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]