when I configure a web application with the user data constraint set to confidential, so that tomcat enforces HTTPS access and then try to download a PDF document using InternetExplorer, the document cannot be displayed due to a bug within IE. The above URL describes the bug but tells that it is "by design" (as all Microsoft bugs are ;) ). The problem occurs because tomcat adds the following two HTTP headers, if and only if a webapp has a user-data constraint of confidential: Pragma: no-cache Cache-control: no-cache,max-age=0,must-revalidate I need to secure my web application and I need to workaround this IE bug on the server side. Tomcat 4.x does not cause the problem, but tomcat5.x does. It is not a safe solution to remove the respective http headers within a filter because the filter would have to do this after the filterchain invocation and the outputstream could already have been committed at that time. Another way would be to add a filter which tests whether a request is HTTP and then manually redirects to HTTPS and then dropping the user-data-constraint from the web-descriptor. Since nearly all IE browsers have this bug, this means that unless tomcat provides a workaround solution for this, developers will not be able to facilitate the standard way specifying security constraints. Any ideas for a short-time workaround that I could apply would be very welcome since I need to get this fixed quickly... Thanks
*** This bug has been marked as a duplicate of 27122 ***
Well, correct me if I'm wrong, but don't the Tomcat developers behave exactly as Microsoft in this case? Both parties insist on being right and expect the other side to change their code. Not very helpful for the rest of us. Why isn't it possible to make the described caching behaviour a configurable option in Tomcat?