ServletWebRequest can't validate Etag and Last-Modified together. [SPR-11324]

[spring-projects-issues]

Markus Malkusch opened SPR-11324 and commented

HTTP 1.1. recommends to send both ETag and Last-Modified header:

the preferred behavior for an HTTP/1.1 origin server is to send both a strong entity tag and a Last-Modified value. [..] If both an entity tag and a Last-Modified value have been provided by the origin server, [clients] SHOULD use both validators in cache-conditional requests. [..] upon receiving a conditional request that includes both [..] [server] MUST NOT return a response status of 304 (Not Modified) unless doing so is consistent with all of the conditional header fields in the request.

Spring's ServletWebRequest seems to be designed for an isolated use of one of them, but not both. If an application wants to implement validation for both the first checkNotModified() call has more significance. This is in particular relevant if the first sets the state to notModified. The next call has no more effect:

Here is a further test case for ServletWebRequestTests which demonstrates the issue:

    @Test
    public void checkNotModifiedETagAndTimeStamp() {
            String currentETag = "\"Foo\"";
	    String oldEtag = "Bar";
            servletRequest.setMethod("GET"); // Also for HEAD
            servletRequest.addHeader("If-None-Match", oldEtag );

            long currentTime = new Date().getTime();
            servletRequest.setMethod("GET"); // Also for HEAD
            servletRequest.addHeader("If-Modified-Since", currentTime);

            request.checkNotModified(currentTime);
            request.checkNotModified(currentETag);

            assertEquals(200, servletResponse.getStatus());
            assertEquals(currentETag, servletResponse.getHeader("ETag"));
    }

---

Affects: 4.0 GA

Reference URL: http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.3.4

This issue is a sub-task of #16413

Issue Links:

• Add support for public/private Cache-Control HTTP header [SPR-7129] #11789 Add support for public/private Cache-Control HTTP header

Referenced from: commits 0175068, 953608e

0 votes, 7 watchers

[spring-projects-issues]

Markus Malkusch commented

Reading further in HTTP I see more issues regarding checkNotModified():
-checkNotModified() doesn't offer any mechanism to identify a validator as weak or strong.
-HTTP's weak comparison function is not implemented at all. I.e. W/"ETag"=="ETag".
-A client can send a conditional request with more ETags.
-The "*" ETags seems to be unsupported.

I don't want to bother you with more issues about this topic. But I would happily offer resources and provide a pull request.

[spring-projects-issues]

Juergen Hoeller commented

Indeed, the not-modified check probably needs some general overhaul on Spring's side. Let's use this issue for all such ETag enhancements, and target them for 4.1 RC1 (June).

A pull request would be very welcome, of course!

Juergen

[spring-projects-issues]

Phil Webb commented

https://github.com/malkusch/spring-framework/tree/SPR-11324

[spring-projects-issues]

Brian Clozel commented

Hi Markus Malkusch, I've revisited a bit your PR, this is now in master.
See 953608ec.

See #16413 for other related changes.

Thanks a lot!