Spring Security caching issue


I just did some awesome optimizations for AgroGo. One of them was related to a strange behavior in Spring Security.

By default, anything that’s protected by Spring Security is sent to the browser with the  “Cache-Control: no-cache, no-store, max-age=0″ header parameter causing the browser to reload all files on every request. This is bad for various reasons but the most important are: high traffic, slow page loads. Also note that by default if you use Spring Boot with Spring Security, all your files will be protected by Spring Security,  so even if you call permitAll() on them, the files will be served with no-cache!

Luckily, you can disable Spring Security for specific directories such as /static. In your SecurityConfig you just need to add this code:

public class ConfigSecurity extends WebSecurityConfigurerAdapter {
  public void configure(WebSecurity web) throws Exception {
    // This will disable string security for the /static folder.

If you want to configure the caching duration, you can do this in your WebMvcConfigurerAdapter class:

public class ConfigWeb extends WebMvcConfigurerAdapter {
  public void addResourceHandlers(ResourceHandlerRegistry registry) {
        .setCachePeriod(3600 * 24);

You can read more about this, here: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#headers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s