Clarify how to prevent overwriting Cache-Control when @SessionAttribute is used [SPR-13598]

[spring-projects-issues]

Tomoyuki Ikeya opened SPR-13598 and commented

#16413 and #7466 had many changes in Cache-Control headers.
One of the changes is to deprecate to set useCacheControlHeader as false with a comment "HTTP 1.1 cache-control header will be required, with the HTTP 1.0 headers disappearing".

On the other hand, we perhaps would like to prevent overwriting Cache-Control header by Spring MVC when using Spring Security and its <headers /> option.
My proposal is that setUseCacheControlHeader() should not be deprecated, or should provide other option that prevent overwriting it by Spring MVC.

---

Affects: 4.2 GA, 4.2.1, 4.2.2

Referenced from: commits 2b3ad21

2 votes, 3 watchers

[spring-projects-issues]

Tomoyuki Ikeya commented

I need to apologize for my mis-unsderstanding.
I changed the title and priority.

WebContentGenerator.setCacheSeconds(-1)
``` and ```java RequestMappingHandlerAdapter.setCacheSecondsForSessionAttributeHandlers(-1)
```  may be the solution for this. These methods have been implemented before v4.2.
Set cacheSeconds -1 not to generate Cache-Control header.
Former seconds is set -1 by default but latter seconds is set 0 by default so need to be manually configured when that case.

[spring-projects-issues]

Brian Clozel commented

Hello Tomoyuki Ikeya

Could you elaborate a bit more on the improvement you're looking for?

By default, SessionAttribute handlers are configured to send HTTP response headers in order to prevent caching (since the response itself depends on the session state).

I'd like to know more about what you're trying to achieve:

• you'd like to keep HTTP1.0 headers in your application? Why so?
• do you think that the HTTP headers used here to prevent HTTP caching aren't good enough compared to Spring Security? Why?

I guess you don't want to change that behavior by default, but rather see some documentation improvement.
What did you have in mind? What documentation were you reading?

Thanks for this report!

[spring-projects-issues]

Tomoyuki Ikeya commented

Hi Brian

I guess you don't want to change that behavior by default, but rather see some documentation improvement.
Exactly.

We often want to add Cache-Control header for all responses.
In such cases it is natural all Cache-Control headers have same directives. Spring Security's <headers /> is useful for these cases.
By default, Cache-Control directives generated by Spring 4.2 is different from the one by Spring Security.
Of course we can easily configure Cache-Control directives since Spring 4.2, but I thinks it is easier to rely completely on Spring Security.

Therefore, I would like to have options to disable Spring MVC's Cache-Control overwriting.
I was able to disable it in Spring 4.1, but Spring 4.2 deprecates the way.
It is better for javadoc or other documents to navigate how to disable Cache-Control overwriting in Spring 4.2 for old Spring users.

[spring-projects-issues]

Brian Clozel commented

I've found a way to explain this a bit better in the RequestMappingHandlerAdapter.setCacheSecondsForSessionAttributeHandlers javadoc.

Note that since #18440, we're not adding "Cache-Control" directives if they've been already added by the handler or a filter (before the request is dispatched to the servlet itself).

Thanks Tomoyuki Ikeya!
Let me know if you've found another place we should add that documentation bit.