Downloading files from a Tomcat server using SSL

I set up an SSL Web Application using Apache/Tomcat. Part of this application serves files to users. But the Internet Explorer browser could not download files from my site. It would always get an error about IE being unable to write a file to the cache.

After much research, I found the problem and solution:

Starting with Tomcat 5, Tomcat sends a "Pragma: No-cache" header with every request. Well, in SSL-mode, Internet Explorer interprets that to mean to not save the file to cache as it is being downloaded. But since it's an encrypted file (SSL), IE also refuses to write it to disk (for security reasons? I don't know why). And thus, you cannot download files because IE will neither write the file to memory or to disk.

Firefox does not have this problem. I don't know whether to praise Firefox for having a more intelligent browser, or praise Microsoft for taking a strict interpretation of security protocols. But since I've indicated that I want IE to save the file to a disk, I would think IE could find a way to download the file, cache or no cache.

To get around this problem in IE, you need to change the HTTP header to say that it's okay to cache the file as it's being downloaded. And in Tomcat, you do that by putting a Valve in the Context for all requests for your webapp, as follows (in your <host> section):


<context docbase="myapp" path="/myapp">
<valve classname="org.apache.catalina.authenticator.FormAuthenticator" disableproxycaching="false"/>
</context>

Note that if you're not using Form authentication, then substitue the class name of the authenticator you're using. For example org.apache.catalina.authenticator.BasicAuthenticator in my case.

And if your application runs in the ROOT path, you need:

<context docbase="ROOT" path="">
<valve classname="org.apache.catalina.authenticator.FormAuthenticator" disableproxycaching="false"/>
</context>

Ta da! And now I can serve up encrypted files to an IE browser.