Bitstream download allows caching of content that requires authorization to read
--------------------------------------------------------------------------------
Key: DS-338
URL: http://jira.dspace.org/jira/browse/DS-338
Project: DSpace 1.x
Issue Type: Bug
Components: XMLUI
Affects Versions: 1.5.2, 1.6.0
Environment: MacOS/Java 1.5/Oracle, Firefox3 client
Reporter: Larry Stone
Assignee: Larry Stone
Priority: Minor
Fix For: 1.6.0
Attachments: BitstreamReader-patch.txt
The XMLUI requests to retrieve the contents of a Bitstream set an "Expires"
header in the response with a very long time, which itself looks like a bug
(the time is 60 hours, when the intent appears to be 1 hour). The other
problem with this is that it sets "Expires:" even when the content is only
accessible through authorization, which results in the following bug caused by
aggressive browser caching: (this works best with a Bitstream that renders in
the browser, such as an image or plain text)
1. Clear browser history (in Firefox 3, use Tools->Clear private data... dialog)
2. Logout of DSpace UI if logged in.
3. Attempt to view a Bitstream that does not have anonymous READ ´access;
you'll be redirected to the Login page.
4. Login, get redirected to the Bitstream. Observe that its URL is the DSpace
home page, however, e.g.
http://dspace.my.edu/xmlui
5. If you check your browser's cache at this point (visit URL
about:cache?device=disk in Firefox3) observe that the content of this page is
cached with an expiry time of 60 hours from now.
6. Now go to another page such as http://dspace.my.edu/xmlui/community-list
and click "Logout".
7. Visit the home page (without trailing /) http://dspace.my.edu/xmlui and
observe you're looking at the protected Bitstream.
The attached patch fixes this behavior by skipping the "Expires:" response
header completely when the Bitstream is not anonymously readable. It also
shortens the cache time to 1 hour, which will still prevent frequent reloads
from loading the server.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
