SEC-2331: Cache Control now includes Expires: 0

2013-09-19 14:06:37 -05:00 · 2013-09-19 14:06:37 -05:00 · 8f8c6169e8
parent c5c1419521
commit 8f8c6169e8
6 changed files with 12 additions and 2 deletions
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy
@ -79,6 +79,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
                         'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                         'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                         'Pragma':'no-cache',
+                         'Expires' : '0',
                         'X-XSS-Protection' : '1; mode=block']
    }

--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy
@ -49,6 +49,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
                         'X-Frame-Options':'DENY',
                         'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                         'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                         'Expires' : '0',
                         'Pragma':'no-cache',
                         'X-XSS-Protection' : '1; mode=block']
    }
@ -128,6 +129,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
            springSecurityFilterChain.doFilter(request,response,chain)
        then:
            responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                         'Expires' : '0',
                         'Pragma':'no-cache']
    }

--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy
@ -49,6 +49,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
                'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                'Pragma':'no-cache',
+                'Expires' : '0',
                'X-XSS-Protection' : '1; mode=block']
    }

@ -69,6 +70,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
            springSecurityFilterChain.doFilter(request,response,chain)
        then:
            responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                'Expires' : '0',
                'Pragma':'no-cache']
    }

--- a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
@ -54,6 +54,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
                                     'X-Frame-Options':'DENY',
                                     'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                                     'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                                     'Expires' : '0',
                                     'Pragma':'no-cache',
                                     'X-XSS-Protection' : '1; mode=block'])
    }
@ -332,7 +333,9 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
        when:
            springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
        then:
-            assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate','Pragma':'no-cache'])
+            assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                                     'Expires' : '0',
+                                     'Pragma':'no-cache'])
    }

    def 'http headers hsts'() {
--- a/web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java
@ -44,6 +44,7 @@ public final class CacheControlHeadersWriter extends StaticHeadersWriter {
        List<Header> headers = new ArrayList<Header>(2);
        headers.add(new Header("Cache-Control","no-cache, no-store, max-age=0, must-revalidate"));
        headers.add(new Header("Pragma","no-cache"));
+        headers.add(new Header("Expires","0"));
        return headers;
    }
 }
--- a/web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java
+++ b/web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java
@ -47,8 +47,9 @@ public class CacheControlHeadersWriterTests {
    public void writeHeaders() {
        writer.writeHeaders(request, response);

-        assertThat(response.getHeaderNames().size()).isEqualTo(2);
+        assertThat(response.getHeaderNames().size()).isEqualTo(3);
        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache, no-store, max-age=0, must-revalidate"));
        assertThat(response.getHeaderValues("Pragma")).isEqualTo(Arrays.asList("no-cache"));
+        assertThat(response.getHeaderValues("Expires")).isEqualTo(Arrays.asList("0"));
    }
 }