C
Chris Seidel
Hi,
wenn I add a security-constraint like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
to my web.xml, Tomcat automatically adds response headers which disable
caching.
This make sense, the data is confidential and shall not be cached anywhere.
But: IE is now no longer able to show files via plugins, because it is not
allowed to save the file into its cache and then transfer it to the
plugin. This is a known problem, one can disable this behaviour by setting
a registry key... Umpf.
Questions:
Why doesn't tomcat set this header if this security constraint does not
exist, but the url is a httpS-url? This makes no sense for me.
Why is Firefox be able to show the files via plugins? Is this a bug?
How can I configure tomcat not to set these headers?
Thank you.
wenn I add a security-constraint like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
to my web.xml, Tomcat automatically adds response headers which disable
caching.
This make sense, the data is confidential and shall not be cached anywhere.
But: IE is now no longer able to show files via plugins, because it is not
allowed to save the file into its cache and then transfer it to the
plugin. This is a known problem, one can disable this behaviour by setting
a registry key... Umpf.
Questions:
Why doesn't tomcat set this header if this security constraint does not
exist, but the url is a httpS-url? This makes no sense for me.
Why is Firefox be able to show the files via plugins? Is this a bug?
How can I configure tomcat not to set these headers?
Thank you.