1

I am attempting to configure cache-control response header to a custom value via my Spring Security configuration XML. Unfortunately, it seems like I'm only able to disable the cache-control header from the XML configuration as per the documentation:

<http>
    <headers defaults-disable="true">
        <cache-control />
    </headers>
</http>

Being this seems to be the case, I attempted to create a custom WebSecurityConfigurerAdapter as so:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("******* SETTING CUSTOM CACHE-CONTROL....");
        StaticHeadersWriter writer = new StaticHeadersWriter("Cache-Control", "2592000");
        RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/**/*");
        HeaderWriter resourcesHeaderWriter = new DelegatingRequestMatcherHeaderWriter(resourcesMatcher, writer);
        http.headers().cacheControl().disable().addHeaderWriter(resourcesHeaderWriter);
        http.headers().disable();
    }
}

Unfortunately, even though the class is in fact initially called, it seems like the configuration is actually overwritten by the XML, as the cache-control response header still appears to be set to the defaults:

Response headers still show cache-control defaults for Spring Security

Any thoughts on how I can specify something similar with the XML file itself, preferably able to match a specific pattern (ex. *.js)?

Thanks!

Improve this question
10
  • Let me try that--let me ask, though, is there a way to selectively apply headers? My main goal was to only modify the default cache-control for JS files. Commented Nov 21, 2017 at 18:23
  • 1
    You mean for some ANT pattern? Yes, you can do that at least in Java configuration. With XML it is more complicated but possible. Commented Nov 21, 2017 at 18:25
  • Yes, ANT pattern...as for the header XML element, I am still seeing no way to configure this under headers ? The only attribute listed is disabled: docs.spring.io/spring-security/site/docs/current/reference/html/… Commented Nov 21, 2017 at 18:55
  • Can you provide a link? The cache-control link I posted up there is literally listed as a child element of the headers tag as shown here: docs.spring.io/spring-security/site/docs/current/reference/html/… -- am I missing something? Commented Nov 21, 2017 at 20:51
  • docs.spring.io/spring-security/site/docs/current/reference/html/… Commented Nov 21, 2017 at 20:57

1 Answer 1

Reset to default
1

I believe the answer that you want is already described in the question here:

disable caching for specific url in spring security

By doing something like this:

<security:http>
[intercept-url, etc omitted...]
        <security:headers>
            <!-- selectively applied to dynamic pages only via pattern matching,  -->
            <security:header ref="noCacheHeaders"/>
        </security:headers>
    </security:http>    

<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/index.html"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.