Duplicate cache headers #4199
Description
This issue was originally reported here spring-projects/spring-boot#8188
Updating the latest spring boot also updates the spring security from 4.1.x to 4.2.x
The previous version of spring security didn't write the cache control header if it was already set, now it always sets it, effectively ignoring the explicitly set settings.
Before, the writeHeader method used to write
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
if (hasHeader(response, CACHE_CONTROL) || hasHeader(response, EXPIRES)
|| hasHeader(response, PRAGMA)) {
return;
}
this.delegate.writeHeaders(request, response);
}
Now, it's simply
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
for (Header header : headers) {
for (String value : header.getValues()) {
response.addHeader(header.getName(), value);
}
}
}
This is the commit 57d7ad0
sample project here
https://github.com/apixandru/case-study/tree/master/spring-boot-duplicate-headers
it turns out that WebSecurityConfigurerAdapter enables the cache control headers that you were missing
happens with a weblogic deployment
$ curl --head -i http://192.168.0.248:7001/test/b.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK
Cache-Control: public
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Fri, 03 Feb 2017 20:20:36 GMT
Pragma: cache
Pragma: no-cache
Transfer-Encoding: chunked
Accept-Ranges: bytes
Content-Type: text/plain
Expires: 0
Last-Modified: Fri, 03 Feb 2017 20:20:11 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff