如何防止 Tomcat 部署的文件在浏览器中缓存?
我正在开发一个使用 Tomcat 6.0.10 的 Java/Struts 应用程序。 它是一个典型的 Web 应用程序,允许用户编辑某些表单并流式传输 PDF。 早些时候,我们补充道:
<security-constraint>
<web-resource-collection>
<web-resource-name>GeneralRequests</web-resource-name>
<url-pattern>/WR1/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
这样任何非流媒体页面都被强制进入 https 并且不被缓存(我们认为)。 系统中的流页面有一个单独的约束条目。
在最近对 IE6 的测试中,我们发现页面“有时”会被缓存,尽管我们还没有完全确定具体时间。 除了 CONFIDENTIAL 标志之外,我们还曾经拥有:
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache,no-store,max-age=0");
response.setDateHeader("Expires", 1);
但我们删除了这些标志,因为它似乎会在 IE6 中导致丑陋的重新发布警告,并且我们认为 CONFIDENTIAL 传输保证还包括所有防止浏览器缓存的适当机制页面的。 我们宁愿把这个问题留给 Tomcat 来妥善处理。
做这些事情的“正确”方法是什么,这样我们将来就不会遇到(那么多)问题?
我们的缓存问题是否是由 IE6 中的特定错误引起的? 或者只是一组特定的版本? 这允许在 7 和/或 8 中发生吗?
更新:我们检查过,Tomcat 正确发送了 Pragma、Cache-Control 和 Expires 参数,因此这不是问题(嗯,没有发送 no-string 和 max-age 值,但仍然不是问题)。
问题出在 Apache Portable Runtime (APR) 1.1.8 上。 不知何故,虽然我们不完全确定原因,但它会从单个请求创建重复的浏览器操作。 对我们来说,该页面看起来像是被缓存了,因为它包含无效的 Struts 事务令牌,但实际上同一请求的第二个执行版本(具有错误的会话 ID)正在覆盖会话中原始请求的令牌。 升级到 1.1.16 解决了该问题。
为什么有些请求会重复(但具有不同的会话 ID)仍然是一个谜……
保罗。
I am working on a Java/Struts application that uses Tomcat 6.0.10. It's a typical web application that allows users to edit some forms, and streams PDFs. Way back, we added:
<security-constraint>
<web-resource-collection>
<web-resource-name>GeneralRequests</web-resource-name>
<url-pattern>/WR1/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So that any of the non-streaming pages are forced into https AND not cached (we thought). There is a separate constraint entry for the streaming pages in the system.
In recent tests on an IE6, we're finding that "sometimes" the pages are caching, although we've not fully determined when. As well as the CONFIDENTIAL flag, we also used to have:
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache,no-store,max-age=0");
response.setDateHeader("Expires", 1);
But we removed these because it seemed to be causing ugly re-posting warnings in IE6 and we thought that the CONFIDENTIAL transport-guarantee also included all of the proper mechanics to prevent browser caching of the page. We'd rather leave the issue up to Tomcat to do properly.
What is the "right" way to do this stuff, so we won't have (as many) problems in the future?
Are our caching problems being caused by a specific bug in IE6? Or just a specific set of releases? Does this allow happen in 7 and/or 8?
UPDATE: We checked, and Tomcat is correctly sending the Pragma, Cache-Control and Expires params, so that is not the problem (well, the no-string and max-age values are not being sent, but still is not the problem).
The problem turned out to be the Apache Portable Runtime (APR) 1.1.8. Somehow, although we are not entirely sure why, it is creating duplicate browser actions from a single request. To us, it looked as if the page was cached because it contained an invalid Struts Transaction Token, but in actuality a second executing version of the same request (with the wrong session id) was overwriting the original request's token in the session. Upgrading to 1.1.16 fixed the problem.
Why some requests were getting duplicated (but with different sessions ids) is still a mystery ...
Paul.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
任何浏览器都不应缓存通过 SSL 接收的任何项目,因此我倾向于 IE6 中的错误。 您可以尝试使用 0 或 -1 作为 Expires 的值而不是 1,但您所做的其他一切对我来说看起来都不错。
No browser should cache any items it receives over SSL, so I would lean toward a bug in IE6. You could try 0 or -1 as the value for Expires instead of 1, but everything else you're doing looks okay to me.