0

I built a JavaEE backend, offering various REST endpoints. Some endpoints are only available for logged in users. To make those responses cachable by browsers, I added the 'cache-control: private' to them.

RestEasy offers that possibility by setting the field 'isPrivate' on the Cache annotation to true.

eg:

@GET
@Cache(maxAge = 60, isPrivate = true)
public SomeSensitiveData getSensitiveData() {
...
}

I also see in the response from the server, that the Cache-control is set correctly. Never the less, the server side cache from Wildfly caches the response and now everyone calling the endpoint gets the 'private' response directly from the cache.

So...uhm...is that behavior intended? If so, whats the point of the Cache-control flag 'private'?

Just for the record: I am using Wildfly 10.

DXTR66
  • 563
  • 5
  • 17
  • Err, the cache headers are for the browser and the proxy servers, not for Wildfly. I doubt Wildfly cares about the server you sent in the response, and I doubt it caches anything. If a resource should only be accessible to some people, you need authentication and authorization. Cache is irrelevant. – JB Nizet Jun 16 '16 at 12:20
  • @JBNizet : My understanding is that the fields are to be respected by any cache in between. Wildfly offers a server side cache, which caches any response, as soon as you mark it as cachable. It also reacts to other cache header fields like no-cache, so why should it not respect the private flag? For me this sounds like a totally broken cache implementation. Even worse, as far as I know, Wildfly automatically enables this server side cache and you can not disable it. Thus as soon as you want to add e-tag caching support, you are also stuck with their server side cache. – DXTR66 Jun 17 '16 at 06:55

0 Answers0