But that would be a security risk no? I mean if user A has privileges to
read a certain resource and user B has not. The client implementation
may still decide to show user B the resource that is in the cache on the
basis that it is not private to user A. Am I wrong?
--
Unico
Stefan L�tzkendorf wrote:
For GET requests it should not be send by default. They should be
cachable, I think, because it is the standard http GET.
I would prefer a configurable way. May be a Filter to be configured in
the web.xml.
Stefan
Unico Hommes wrote:
James Mason wrote:
http://issues.apache.org/bugzilla/show_bug.cgi?id=23497
It's about a year old. The patch looks innocous, from the rfc:
"private Indicates that all or part of the response message
is intended
for a single user and MUST NOT be cached by a shared cache."
Looks like a directive we ought to send not only with GET/HEAD but
with other read requests as well (PROPFIND/REPORT/SEARCH/etc). Except
perhaps when authentication is turned off or all users operate under
the same principal. Although I don't think our implementation has to
differentiate between these situations.
--
Unico
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
