authentication - Proxy de almacenamiento en caché con solicitudes REST autenticadas

Por el HTTP / 1.1 RFC sección 14.8 ( http://tools.ietf.org/html/rfc2616#section-14.8 ):

When a shared cache (see section 13.7) receives a request containing an Authorization field, it MUST NOT return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: 1. If the response includes the "s-maxage" cache-control directive, the cache MAY use that response in replying to a subsequent request. But (if the specified maximum age has passed) a proxy cache MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. (This is the defined behavior for s-maxage.) If the response includes "s- maxage=0", the proxy MUST always revalidate it before re-using it. 2. If the response includes the "must-revalidate" cache-control directive, the cache MAY use that response in replying to a subsequent request. But if the response is stale, all caches MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. 3. If the response includes the "public" cache-control directive, it MAY be returned in reply to any subsequent request.

Una posibilidad para probar es utilizar el encabezado de respuesta Vary: Authorization para indicar a los cachés en sentido descendente que tengan cuidado con el almacenamiento en caché variando los documentos almacenados en caché según el encabezado Authorization la solicitud.

Es posible que ya esté usando este encabezado si usa la compresión de respuesta. El usuario generalmente solicita un recurso con el encabezado Accept-Encoding: gzip, deflate ; si el servidor está configurado para admitir la compresión, entonces la respuesta podría venir con los encabezados Content-Encoding: gzip y Vary: Accept-Encoding ya.