Caching with Tomcat Authentication

Article:		Two Servlet Filters Every Web Application Should Have
Subject:		Caching with Tomcat Authentication
Date:		2007-04-18 20:37:41
From:		DETurner

I've seen a few blogs/comments floating about the web regarding `Cache-Control: no-cache` and `Pragma: no-cache` headers being attached to every HTTP response from Tomcat. This is particularly bad for users of IE; it will end up ignoring all caching (every GET request returning a complete `200` response with content, because it doesn't request with a `If-Modified-Since` date). I've discovered this may largely be due to using any form of web-app authentication in T5.5, which appends these headers to all responses under the authentication path to prevent them being cached (see: AuthenticatorBase). To avoid this issue, set the following in your web-app `context.xml` for whichever authentication method you're using: <Valve className="org.apache.catalina.authenticator.FormAuthenticator" securePagesWithPragma="false" /> This will instead use `Cache-Control: private` which is recognised by IE correctly, and it will send a proper `If-Modified-Since` header back when next requesting that resource. This will usually mean Tomcat will return a `304` (Not-Modified) response for all your static image/script/css/html/etc resources!