Problem:

Authorization Header Fields are not cached using Basic Authorization in Tomcat

Resolution:

• Product Name: BES-AppServer
• Product Version: 5.2.1
• Product Component: Tomcat WebContainer
• Platform/OS Version: All
• JDK/Compiler Version: 1.3.1 and 1.4.1

There are two known problems because of this.

1. When user hits back on the browser then they get a "Warning: Page has Expired" error.
   The user has to hit refresh to get back the data.
2. When one tries to download an Excel file that has been generated on the fly, the download just fails.

These headers are being added for good security reasons. These headers prevent secure responses from being cached by web proxies or browsers. Caching can provide a security hole and you don't want your secure responses be cached.

There is no option currently available in BES to turn off this behavior

BY RFC Spec this behavior is Legal

FC 2616, Section 13.4 "Response Cacheability" para 3 states that because of security consideration, it may be inappropriate to cache.

It also states in para 4 that Authorization headers must be treated differently by caches.
However Tomcat 4.x still adds no-cache just to be safe even with badly implemented caches.

Author: Sean Chandler