Cache-control headers within the controller are ignored with spring security

[czubin]

Bug report:

Since spring boot 1.5 the 'Cache-control' headers can no longer be set within a controller.
Using ResponseEntity.cacheControl().

The test and code below works under spring boot 1.4.5.

Security configuration:

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    }
}

Controller:

@Controller
public class ResourceEndpoint {
    @GetMapping("/users/{name}")
    public ResponseEntity<UserDto> getUser(@PathVariable String name) {
        return ResponseEntity
          .ok()
          .cacheControl(CacheControl.maxAge(60, TimeUnit.SECONDS))
          .body(new UserDto(name));
    }
}

Test:

@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = AppRunner.class)
public class ResourceEndpointIntegrationTest {
    @Test
    public void givenServiceEndpoint_whenGetRequestForUser_shouldResponseWithCacheControlMaxAge() {
        given().when().get(getBaseUrl() + "/users/Michael").then().contentType(ContentType.JSON).and().statusCode(200).and().header("Cache-Control", "max-age=60");
    }
    private String getBaseUrl() {
        return String.format("http://localhost:%d", serverPort);
    }
}

[mbhave]

@czubin This seems to be happening because of this change in Spring Security. spring-projects/spring-security@57d7ad0. Previously, as can be seen in this commit, spring-projects/spring-security@242b831, Spring Security would only write the Cache-Control header if it was not set.

@philwebb This doesn't seem like a Boot issue, but more like something for Spring Security or Spring MVC. WDYT?

[wilkinsona]

I think this should have been fixed by spring-projects/spring-security@168f4b8 which is in Spring Security 4.2.2 (the default version in Boot 1.5.2).

@czubin What version of Spring Security are you using?

[czubin]

@wilkinsona We are currently using the latest(1.5.2).

It seems to me that previously the headers were written after completion of the filterchain. Which caused problems with users who flushed the response.

I'm going to use a workaround as specified in spring-projects/spring-security#2953

[philwebb]

We think this duplicates spring-projects/spring-security#4199 so I'll close the issue for now. If you can create a sample that reproduces it with Spring Security 4.2.2 and Boot 1.5.3 please attach it and we'll re-open.

(edited with correct issue link)

[czubin]

@philwebb Okay, I'll make an issue with spring-security project. 1.5.3 has the same regression.

[philwebb]

@czubin Thanks, can you paste a link to the issue that you create here so that we have a future breadcrumb trail.

[czubin]

Made a new ticket spring-projects/spring-security#4307