Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify how to prevent overwriting Cache-Control when @SessionAttribute is used [SPR-13598] #18176

Closed
spring-projects-issues opened this issue Oct 22, 2015 · 4 comments
Assignees
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Oct 22, 2015

Tomoyuki Ikeya opened SPR-13598 and commented

#16413 and #7466 had many changes in Cache-Control headers.
One of the changes is to deprecate to set useCacheControlHeader as false with a comment "HTTP 1.1 cache-control header will be required, with the HTTP 1.0 headers disappearing".

On the other hand, we perhaps would like to prevent overwriting Cache-Control header by Spring MVC when using Spring Security and its <headers /> option.
My proposal is that setUseCacheControlHeader() should not be deprecated, or should provide other option that prevent overwriting it by Spring MVC.


Affects: 4.2 GA, 4.2.1, 4.2.2

Referenced from: commits 2b3ad21

2 votes, 3 watchers

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Oct 22, 2015

Tomoyuki Ikeya commented

I need to apologize for my mis-unsderstanding.
I changed the title and priority.

WebContentGenerator.setCacheSeconds(-1)
``` and ```java RequestMappingHandlerAdapter.setCacheSecondsForSessionAttributeHandlers(-1)
```  may be the solution for this. These methods have been implemented before v4.2.
Set cacheSeconds -1 not to generate Cache-Control header.
Former seconds is set -1 by default but latter seconds is set 0 by default so need to be manually configured when that case.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 4, 2015

Brian Clozel commented

Hello Tomoyuki Ikeya

Could you elaborate a bit more on the improvement you're looking for?

By default, SessionAttribute handlers are configured to send HTTP response headers in order to prevent caching (since the response itself depends on the session state).

I'd like to know more about what you're trying to achieve:

  • you'd like to keep HTTP1.0 headers in your application? Why so?
  • do you think that the HTTP headers used here to prevent HTTP caching aren't good enough compared to Spring Security? Why?

I guess you don't want to change that behavior by default, but rather see some documentation improvement.
What did you have in mind? What documentation were you reading?

Thanks for this report!

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 5, 2015

Tomoyuki Ikeya commented

Hi Brian

I guess you don't want to change that behavior by default, but rather see some documentation improvement.
Exactly.

We often want to add Cache-Control header for all responses.
In such cases it is natural all Cache-Control headers have same directives. Spring Security's <headers /> is useful for these cases.
By default, Cache-Control directives generated by Spring 4.2 is different from the one by Spring Security.
Of course we can easily configure Cache-Control directives since Spring 4.2, but I thinks it is easier to rely completely on Spring Security.

Therefore, I would like to have options to disable Spring MVC's Cache-Control overwriting.
I was able to disable it in Spring 4.1, but Spring 4.2 deprecates the way.
It is better for javadoc or other documents to navigate how to disable Cache-Control overwriting in Spring 4.2 for old Spring users.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 22, 2016

Brian Clozel commented

I've found a way to explain this a bit better in the RequestMappingHandlerAdapter.setCacheSecondsForSessionAttributeHandlers javadoc.

Note that since #18440, we're not adding "Cache-Control" directives if they've been already added by the handler or a filter (before the request is dispatched to the servlet itself).

Thanks Tomoyuki Ikeya!
Let me know if you've found another place we should add that documentation bit.

@spring-projects-issues spring-projects-issues added type: enhancement A general enhancement in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.3 RC1 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests

2 participants