Two Servlet Filters Every Web Application Should Have
Subject:   Caching with Tomcat Authentication
Date:   2007-04-18 20:37:41
From:   DETurner
I've seen a few blogs/comments floating about the web regarding Cache-Control: no-cache and Pragma: no-cache headers being attached to every HTTP response from Tomcat. This is particularly bad for users of IE; it will end up ignoring all caching (every GET request returning a complete 200 response with content, because it doesn't request with a If-Modified-Since date).

I've discovered this may largely be due to using any form of web-app authentication in T5.5, which appends these headers to all responses under the authentication path to prevent them being cached (see: AuthenticatorBase).

To avoid this issue, set the following in your web-app context.xml for whichever authentication method you're using:

<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
securePagesWithPragma="false" />

This will instead use Cache-Control: private which is recognised by IE correctly, and it will send a proper If-Modified-Since header back when next requesting that resource. This will usually mean Tomcat will return a 304 (Not-Modified) response for all your static image/script/css/html/etc resources!