[
http://jira.dspace.org/jira/browse/DS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry Stone resolved DS-338.
----------------------------
Resolution: Fixed
patch applied.
> Bitstream download allows caching of content that requires authorization to
> read
> --------------------------------------------------------------------------------
>
> Key: DS-338
> URL: http://jira.dspace.org/jira/browse/DS-338
> Project: DSpace 1.x
> Issue Type: Bug
> Components: XMLUI
> Affects Versions: 1.5.2, 1.6.0
> Environment: MacOS/Java 1.5/Oracle, Firefox3 client
> Reporter: Larry Stone
> Assignee: Larry Stone
> Priority: Minor
> Fix For: 1.6.0
>
> Attachments: BitstreamReader-patch.txt
>
>
> The XMLUI requests to retrieve the contents of a Bitstream set an "Expires"
> header in the response with a very long time, which itself looks like a bug
> (the time is 60 hours, when the intent appears to be 1 hour). The other
> problem with this is that it sets "Expires:" even when the content is only
> accessible through authorization, which results in the following bug caused
> by aggressive browser caching: (this works best with a Bitstream that renders
> in the browser, such as an image or plain text)
> 1. Clear browser history (in Firefox 3, use Tools->Clear private data...
> dialog)
> 2. Logout of DSpace UI if logged in.
> 3. Attempt to view a Bitstream that does not have anonymous READ ´access;
> you'll be redirected to the Login page.
> 4. Login, get redirected to the Bitstream. Observe that its URL is the
> DSpace home page, however, e.g.
> http://dspace.my.edu/xmlui
> 5. If you check your browser's cache at this point (visit URL
> about:cache?device=disk in Firefox3) observe that the content of this page is
> cached with an expiry time of 60 hours from now.
> 6. Now go to another page such as http://dspace.my.edu/xmlui/community-list
> and click "Logout".
> 7. Visit the home page (without trailing /) http://dspace.my.edu/xmlui and
> observe you're looking at the protected Bitstream.
> The attached patch fixes this behavior by skipping the "Expires:" response
> header completely when the Bitstream is not anonymously readable. It also
> shortens the cache time to 1 hour, which will still prevent frequent reloads
> from loading the server.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
