1

I am attempting to configure cache-control response header to a custom value via my Spring Security configuration XML. Unfortunately, it seems like I'm only able to disable the cache-control header from the XML configuration as per the documentation:

<http>
    <headers defaults-disable="true">
        <cache-control />
    </headers>
</http>

Being this seems to be the case, I attempted to create a custom WebSecurityConfigurerAdapter as so:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("******* SETTING CUSTOM CACHE-CONTROL....");
        StaticHeadersWriter writer = new StaticHeadersWriter("Cache-Control", "2592000");
        RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/**/*");
        HeaderWriter resourcesHeaderWriter = new DelegatingRequestMatcherHeaderWriter(resourcesMatcher, writer);
        http.headers().cacheControl().disable().addHeaderWriter(resourcesHeaderWriter);
        http.headers().disable();
    }
}

Unfortunately, even though the class is in fact initially called, it seems like the configuration is actually overwritten by the XML, as the cache-control response header still appears to be set to the defaults:

Response headers still show cache-control defaults for Spring Security

Any thoughts on how I can specify something similar with the XML file itself, preferably able to match a specific pattern (ex. *.js)?

Thanks!

cjones26
  • 3,459
  • 1
  • 34
  • 51
  • Let me try that--let me ask, though, is there a way to selectively apply headers? My main goal was to only modify the default cache-control for JS files. – cjones26 Nov 21 '17 at 18:23
  • 1
    You mean for some ANT pattern? Yes, you can do that at least in Java configuration. With XML it is more complicated but possible. – dur Nov 21 '17 at 18:25
  • Yes, ANT pattern...as for the `header` XML element, I am still seeing no way to configure this under `headers` ? The only attribute listed is disabled: https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-cache-control – cjones26 Nov 21 '17 at 18:55
  • Can you provide a link? The cache-control link I posted up there is literally listed as a child element of the headers tag as shown here: https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-headers-children -- am I missing something? – cjones26 Nov 21 '17 at 20:51
  • https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-header – dur Nov 21 '17 at 20:57
  • Thanks @dur--that seemed to work! Any way to selectively apply the header? – cjones26 Nov 21 '17 at 21:36
  • What about using a filter ? After changing the code press **CTRL** and **R** button to see the changes. – Ataur Rahman Munna Nov 22 '17 at 05:26
  • @slashp: You can create a `DelegatingRequestMatcherHeaderWriter` and reference it in your `header` tag. – dur Nov 22 '17 at 10:36
  • @dur--can you please post as the answer and I will mark it? Thank you!! – cjones26 Nov 22 '17 at 13:44
  • I believe the answer that you want is here: https://stackoverflow.com/questions/29530575/disable-caching-for-specific-url-in-spring-security/30949227#30949227 – Mr Chow Aug 07 '19 at 21:51

1 Answers1

1

I believe the answer that you want is already described in the question here:

disable caching for specific url in spring security

By doing something like this:

<security:http>
[intercept-url, etc omitted...]
        <security:headers>
            <!-- selectively applied to dynamic pages only via pattern matching,  -->
            <security:header ref="noCacheHeaders"/>
        </security:headers>
    </security:http>    

<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/index.html"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean>
Mr Chow
  • 365
  • 6
  • 10