I have this declaration in my spring xml configuration:
<security:headers>
I believe this ensures that the following header is sent with all responses:
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
I don't want this header to be sent with static resources. So I tried this:
<security:headers>
<security:header ref="cacheStaticsHeaders" />
</security:headers>
<bean id="cacheStaticsHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/images/**"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.StaticHeadersWriter">
<constructor-arg name="headers">
<list>
<bean class="org.springframework.security.web.header.Header">
<constructor-arg name="headerName" value="cache-control"></constructor-arg>
<constructor-arg name="headerValues" value="max-age=31536000"/>
</bean>
<bean class="org.springframework.security.web.header.Header">
<constructor-arg name="headerName" value="Expires"></constructor-arg>
<constructor-arg name="headerValues" value="31536000"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
However,now I see two headers for static resources:
Cache-Control:max-age=31536000 cache-control: public
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
How do I fix this? I first asked this question here but didn't get a response.
