Web.Config - staticContent - clientCache configurations - asp.net-mvc

I have this Content folder to hold js/images/css etc which doesn't change so often. So, I have added a config file to this directory which looks like this -
<configuration>
<system.webServer>
<staticContent>
<!-- <clientCache cacheControlMode="UseExpires" httpExpires="Mon, 30 Nov 2015 20:45:45 GMT"/> -->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00"/>
</staticContent>
</system.webServer>
</configuration>
When I load the page for the first time, I can see these response/request headers for a requested js file -
Response Headers
Accept-Ranges:bytes
Cache-Control:max-age=86400
Content-Encoding:gzip
Content-Length:1730
Content-Type:application/x-javascript
Date:Mon, 30 Nov 2015 12:14:31 GMT
ETag:"038394f8fd11:0"
Last-Modified:Mon, 26 Oct 2015 14:14:08 GMT
Server:Microsoft-IIS/7.5
Vary:Accept-Encoding
X-Powered-By:ASP.NET
Request Headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:dev.admin.ccmportal.williamslea.com
Pragma:no-cache
Referer:http://dev.admin.ccmportal.williamslea.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Two questions -
When I re-load the page using F5, I see same response headers with
content length of 1730. Why content is reloaded even if I have set
it to be cached for 1 day?
What does Cache-Control:no-cache means in Request Header?
Thank you!

Content-Length will always show the content length, even when the content is pulled from cache.
Cache-Control: no-cache tells the browser it SHOULD forward the request toward the origin server even if it has a cached copy of what is being requested.
Content-Length spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
Cache-Control spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
So it looks like your clientCache configuration is working correctly however it also looks like you're browser is not using the cache as per Cache-Control:no-cache
Do you have cache disabled in your dev tools or something similar?

Related

EWS managed-api gets 500 Internal Server Error when creating streaming subscription with affinity using OAuth

I have an application that uses EWS streaming subscriptions via the managed API (built from latest source on GitHub as NuGet version is out of date), and have been enhancing it to group subscriptions for mailboxes with the same GroupingInformation and ExternalEwsUrl user settings, to reduce the number of connections, as described in Maintain affinity between a group of subscriptions and the Mailbox server in Exchange.
I am also introducing modern authentication for Exchange Online: Authenticate an EWS application by using OAuth
I have only been testing the changes on a relatively small Azure tenant. When I try to create a subsequent subscription on a group, it works perfectly with basic authentication, but with OAuth authentication, it always fails with HTTP error 500. The EWS error message is "Request failed because EWS could not contact the appropriate CAS server for this request".
I include an excerpt from the XML trace, when using OAuth, for the request and response for the first subscription on the anchor mailbox, then the request and failed response for the second subscription. The GroupingInformation value for the two mailboxes was "VE1PR03" when these requests were made.
It is not obvious how the use of OAuth should affect the routing of the requests.
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: MyApp/2.2.0.20149 (ExchangeServicesClient/2.2.1.0)
Accept-Encoding: gzip,deflate
X-AnchorMailbox: user1#xyz.onmicrosoft.com
X-PreferServerAffinity: true
Authorization: Bearer ey..
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:SmtpAddress>user1#xyz.onmicrosoft.com</t:SmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<m:Subscribe>
<m:StreamingSubscriptionRequest>
<t:FolderIds>
<t:DistinguishedFolderId Id="inbox">
<t:Mailbox>
<t:EmailAddress>user1#xyz.onmicrosoft.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</t:FolderIds>
<t:EventTypes>
<t:EventType>NewMailEvent</t:EventType>
</t:EventTypes>
</m:StreamingSubscriptionRequest>
</m:Subscribe>
</soap:Body>
</soap:Envelope>
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
X-CalculatedFETarget: VI1P194CU002.internal.outlook.com
X-BackEndHttpStatus: 200,200
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Set-Cookie: exchangecookie=5bf5f04d41dd4205b2fd96f211c5b2b4; expires=Thu, 17-Jun-2021 14:06:18 GMT; path=/; secure; HttpOnly
Set-Cookie: X-BackEndOverrideCookie=VE1PR03MB5854.eurprd03.prod.outlook.com~1943309328; path=/; secure; HttpOnly
Server: Microsoft-IIS/10.0
X-FEProxyInfo: VI1P194CA0032.EURP194.PROD.OUTLOOK.COM
X-CalculatedBETarget: VE1PR03MB5854.eurprd03.prod.outlook.com
X-RUM-Validated: 1
x-ms-appId: f456225c-aef6-41fc-bbd5-8a5c9c9287d6
X-FromBackend-ServerAffinity: True
x-EwsHandler: Subscribe
X-AspNet-Version: 4.0.30319
X-BeSku: WCS5
X-DiagInfo: VE1PR03MB5854
X-BEServer: VE1PR03MB5854
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 200
X-FEServer: VI1P194CA0032,LO2P265CA0158
X-Powered-By: ASP.NET
Date: Wed, 17 Jun 2020 14:06:18 GMT
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<h:ServerVersionInfo MajorVersion="15" MinorVersion="20" MajorBuildNumber="3088" MinorBuildNumber="29" Version="V2018_01_08" xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" />
</s:Header>
<s:Body>
<m:SubscribeResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<m:ResponseMessages>
<m:SubscribeResponseMessage ResponseClass="Success">
<m:ResponseCode>NoError</m:ResponseCode>
<m:SubscriptionId>JwB2ZTFwcjAzbWI1ODU0LmV1cnByZDAzLnByb2Qub3V0bG9vay5jb20QAAAADJevxSPm2ESq94+CIcSMEp28L5vHEtgIEAAAAONzlukW2B5KmN/hjFV/so0=</m:SubscriptionId>
</m:SubscribeResponseMessage>
</m:ResponseMessages>
</m:SubscribeResponse>
</s:Body>
</s:Envelope>
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: MyApp/2.2.0.20149 (ExchangeServicesClient/2.2.1.0)
Accept-Encoding: gzip,deflate
X-AnchorMailbox: user1#xyz.onmicrosoft.com
X-PreferServerAffinity: true
Cookie: X-BackEndOverrideCookie=VE1PR03MB5854.eurprd03.prod.outlook.com~1943309328
Authorization: Bearer ey..
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:SmtpAddress>user2#xyz.onmicrosoft.com</t:SmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<m:Subscribe>
<m:StreamingSubscriptionRequest>
<t:FolderIds>
<t:DistinguishedFolderId Id="inbox">
<t:Mailbox>
<t:EmailAddress>user2#xyz.onmicrosoft.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</t:FolderIds>
<t:EventTypes>
<t:EventType>NewMailEvent</t:EventType>
</t:EventTypes>
</m:StreamingSubscriptionRequest>
</m:Subscribe>
</soap:Body>
</soap:Envelope>
HTTP/1.1 500 Internal Server Error
X-CalculatedFETarget: VI1P194CU002.internal.outlook.com
X-BackEndHttpStatus: 500,500
X-FEProxyInfo: VI1P194CA0034.EURP194.PROD.OUTLOOK.COM
X-CalculatedBETarget: VE1PR03MB5854.eurprd03.prod.outlook.com
X-RUM-Validated: 1
x-ms-appId: f456225c-aef6-41fc-bbd5-8a5c9c9287d6
X-BeSku: WCS5
X-DiagInfo: VE1PR03MB5854
X-BEServer: VE1PR03MB5854
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 500
X-FEServer: VI1P194CA0034,LO2P265CA0158
Content-Length: 839
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Wed, 17 Jun 2020 14:06:18 GMT
Set-Cookie: exchangecookie=39b2d19d8e9740128573cb1af6358c33; expires=Thu, 17-Jun-2021 14:06:18 GMT; path=/; secure; HttpOnly
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">*</Action>
</s:Header>
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://schemas.microsoft.com/exchange/services/2006/types">a:ErrorInvalidRequest</faultcode>
<faultstring xml:lang="en-US">Request failed because EWS could not contact the appropriate CAS server for this request.</faultstring>
<detail>
<e:ResponseCode xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">ErrorInvalidRequest</e:ResponseCode>
<e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">Request failed because EWS could not contact the appropriate CAS server for this request.</e:Message>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>
After further investigation, I have resolved this by simply using the same ExchangeService object for each subscription in the group (I had been creating a new ExchangeService for each subscription). The grouping now works with both OAuth and basic authentication. The article on maintaining affinity does say "Create and use one ExchangeService object for the rest of the procedure", and I should have taken that more literally!
Before creating each subscription, including the first, one does of course need to set ExchangeService.ImpersonatedUserId to the SMTP address of the relevant mailbox user, and after creating the first subscription, add an assignment of the X-BackendOverrideCookie cookie value from the first subscription response to the HttpHeaders.
I hope this is useful for anyone else who is working with streaming subscriptions.
To pass X-BackEndOverrideCookie to subsequent requests, either:
Use the same ExchangeService for each subscription in the same grouping. This handles X-BackEndOverrideCookie automatically.
Use a fresh ExchangeService, but manually copy X-BackEndOverrideCookie via ExchangeService's CookieContainer property.
I recommend the second approach for thread-safety. If your application is a long-running service, you will likely need a retry loop to deal with failed subscriptions.
To transfer X-BackEndOverrideCookie manually:
string backEndOverrideCookie =
service1.CookieContainer.GetCookies(service1.Url)["X-BackEndOverrideCookie"]?.Value;
...
if (!string.IsNullOrWhiteSpace(backEndOverrideCookie))
service2.CookieContainer.SetCookies(service2.Url, "X-BackEndOverrideCookie=" + backEndOverrideCookie);
Note: Assigning to Credentials resets the ExchangeService's CookieContainer, and for OAuth you will need to do this regularly. Fortunately there's a simple workaround:
var cookieContainer = service.CookieContainer;
service.Credentials = new OAuthCredentials(authenticationResult.AccessToken);
service.CookieContainer = cookieContainer;

Having problems with Azure AD, Angular 2 and preflight is invalid (redirect)

Right now I am not having a great time integrating Angular 2 and Azure AD.
Steps to reproduce error:
I have created an Angular 2 front end, Web API(suave.io) and it deployed Azure
I have setup Azure AD on the Web Site and Web API
Followed this article:
https://blogs.msdn.microsoft.com/premier_developer/2017/04/26/using-adal-with-angular2/
I get the bearer Azure AD token (great)
I then call the Web API and I am getting
XMLHttpRequest cannot load https://#### /groups/. Response for preflight is invalid (redirect)
This is related to this issue.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests
My Angular 2 code is this:
let headers = new Headers();
headers.append("Content-Type", "application/x-www-form-urlencoded");
headers.append("Authorization", 'Bearer ' + this.adalService.accessToken );
return this._http.get(this.API_BASE + `groups/`, { headers: headers})
.map((response: Response) => response.json())
This call removes the Authorization token and sends an Option call. I believe the request fails because there is no authentication header and AD rejects it before it gets to the Web API.
This is the request being now sent from chome:
OPTIONS /groups/ HTTP/1.1 Host: dev-api-integration-####.azurewebsites.net Connection: keep-alive Access-Control-Request-Method: GET Origin: http://localhost:4200/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Access-Control-Request-Headers: authorization Accept: */* Referer: http://localhost:4200/ Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
My web config has:
<httpProtocol>
<customHeaders>
<clear />
<add name="Access-Control-Allow-Origin" value="http://localhost:4200/*" />
<add name="Access-Control-Allow-Headers" value="Authorization, Content-Type" />
<add name="Access-Control-Allow-Credentials" value="true"/>
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
What can I do? This is a major issue for me at the moment. I guess more and more people will be using Angular 2 and AD integration in future. Any hints or ideas would be much appreciated.

Servicestack LinkedIn Oauth2 with Webauthenticator Not Returning to App

Hi Am having trouble with Servicestack authentication with Xamarin.auth component.
when try authenticate with ServiceStack with WebAuthencator , am getting authenticated but am not able to return to app as in case of Xamarin.Auth only.
[Route("/my-session")]
public class CustomUserSession : AuthUserSession ,IReturn<CustomUserSession>
{
public string GithubProfileUrl { get; set; }
public string TwitterProfileUrl { get; set; }
IRedisClientsManager RedisManager;
public override void OnAuthenticated(IServiceBase authService, IAuthSession session, IOAuthTokens tokens, Dictionary<string, string> authInfo)
{
base.OnAuthenticated(authService, session, tokens, authInfo);
var userAuthRepo = authService.ResolveService<IUserAuthRepository>();
var userAuth = userAuthRepo.GetUserAuth(session.UserAuthId);
}
}
here is the RAW request from JsonServiceClient
GET http://sample.com/api/my_info HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: DotNetOpenAuth.WebServerClient.XSRF-Session=GGcwh7UvAe3R5ivrrAv7MQ; ss-id=5byYKQ5TYwmYqK3EQ5Vi; ss-pid=82ZTomRsZmdRTTA6dkMF; X-UAId=1
Connection: keep-alive
Host: sample.com
RESPONSE :
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.5
WWW-Authenticate: LinkedIn realm="https://www.linkedin.com/uas/oauth2/authorization"
X-Powered-By: ServiceStack/4.0 Win32NT/.NET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 25 Nov 2016 19:59:37 GMT
Content-Length: 0
while the same call to /api/my_info in browser redirects to auth and gets the info.
Browser Request :
GET /api/my_info HTTP/1.1
Host: sample.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ss-pid=pnxqAEU3ExIzrVZ8QdR/; ss-id=qCAkeAUDbQ+QRkZvIQgv; DotNetOpenAuth.WebServerClient.XSRF-Session=lFqnWxGQfdOZEF55MrLT_Q; X-UAId=1
Browser Respone:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ServiceStack Win32NT/.NET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 22 Nov 2016 20:38:37 GMT
Content-Length: 9443
Connection: keep-alive
<!doctype html>
<html lang="en-us">
<head>
<title>Simple Snapshot of 11/22/2016</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
BODY, H1, H2, H3, H4, H5, H6, DL, DT, DD {
..............
Also JsonServiceClient gets ss-id but later calling authenticate service failing with 401.
There's an example project with docs showing how to authenticate ServiceStack with Xamarin.Auth available at:
github.com/ServiceStackApps/TechStacksAuth

configuring saml-sample (SP) to work with Okta (IdP)

Okta is an IdP for SAML logins. I have a super-admin user of Okta.
I try to use Spring's saml-sample project as my SP (service-provider). When I configure it (spring-saml-sample) in the Okta system, I need to supply some data on my SP, such as "post back URL", "recipient" and "audience restriction".
After sniffing in Okta's docs, I found this:
Audience Restriction – This is the entity id of the Service Provider. It will be provided by the SP and must match exactly. Consult the SP documentation to get this information.
Recipient –Enter the service provider’s assertion consumer service URL . Consult the SP documentation to get this information.
So I figured out that this URL should be:
http://srv101.watchdox.net/spring-security-saml2-sample/saml/SSO/alias/defaultAlias
Post Back URL – This is the SAML SP endpoint (i.e. where your users will log in)
Destination for the SAML response – This is the intended destination of the saml assertion. Unless specified by the SP, this will typically be identical to the post back URL. Consult the SP documentation to get this information.
The Problem:
My app (spring-saml-sample) has a "welcome" page, where the user chooses the IdP he wants to login with. So I choose "Okta" IdP, and then i am redirected to the Okta to log-in (perfect till here), but after login, instead of redirecting me back to my app (to the protected resource), I stay in the Okta system and see their framework. I do see my app there. When I click on it, I get to my first page, to choose the IdP.
I believe the problem is with my URLs, or with the SAML response...
Anyonw has an idea?
Pasted here the Request and response, if might be helpfull.
I pasted here the SAML requests and responses, in case it might be helpfull. Note that the Status Code in the response is "Success"!
What can be wrong? what am I missing?
Request:
POST https://watchdox.okta.com/app/template_saml_2_0/k3gvyf0mGFVVCVQBYTTA/sso/saml HTTP/1.1
Host: watchdox.okta.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://srv101.watchdox.net/spring-security-saml2-sample/saml/login/alias/defaultAlias?idp=http%3A%2F%2Fwww.okta.com%2Fk3gvyf0mGFVVCVQBYTTA
Content-Type: application/x-www-form-urlencoded
Content-Length: 3906
HTTP/?.? 200 OK
Server: nginx/1.2.6
Date: Thu, 18 Apr 2013 08:49:39 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="HONK"
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
t=default; Path=/
X-Okta-backend: webapp09e.prod.saasure.com
Cache-Control: no-cache, public
Pragma: no-cache
Expires: 0
Content-Language: en-US
Content-Encoding: gzip
SAML request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://srv101.watchdox.net:443/spring-security-saml2-sample/saml/SSO/alias/defaultAlias"
Destination="https://watchdox.okta.com/app/template_saml_2_0/k3gvyf0mGFVVCVQBYTTA/sso/saml"
ForceAuthn="false"
ID="a32a5d9jfge33c9b46gdaddid8gd41b"
IsPassive="false"
IssueInstant="2013-04-18T08:49:38.141Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">com.watchdox.ohad</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#a32a5d9jfge33c9b46gdaddid8gd41b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>blwZT1B5451jbzeB9m0ogyGQuFY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>RZeXySsMfy+iBglUngrCHg2XoaA4WzAkLrB/zhjRfqFQS45avePlF8f19N+MHoFSirI08R08lXNJqdT/+0tKEujwsluCzFMnOCVPhtZIs7DblxqD+nR0XmF9+fKt91z/KQRtGLQtO/bsl3X3dmkUULGUWBxi8ga9jyTnkGwMFjE8J/Ba0P9eZjLV9YV/Piui/3B1XbhezVIIAvPNOpwQzK1kSA19bwlSejCjsf1Xe9kLXoCdf56ykjGDSdj2HpEVKQcjbu2nfPTFAXRTehx6h5qiKVl5R1DdDtFfq9EOXpZgy5pcu4bHqDhNAMwhZCu57fIIRR5IWuC6YUAXTDFXbg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
Okta response:
POST http://srv101.watchdox.net/spring-security-saml2-sample/ HTTP/1.1
Host: srv101.watchdox.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 7863
HTTP/?.? 302 Found
Date: Thu, 18 Apr 2013 08:51:57 GMT
Server: Apache
Location: https://srv101.watchdox.net/spring-security-saml2-sample/
Content-Length: 241
Keep-Alive: timeout=30, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
SAML Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://srv101.watchdox.net/spring-security-saml2-sample/"
ID="id141234960903909491594058959"
InResponseTo="a32a5d9jfge33c9b46gdaddid8gd41b"
IssueInstant="2013-04-18T08:51:49.819Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://www.okta.com/k3gvyf0mGFVVCVQBYTTA</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id141234960903909491594058959">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nCrBE9jowt9QAOk5ipw1SFnb248=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>lwSHBmy4Hqt3XjbnPni6PePFFCn9hUJb7K4jh3xAyUum+y59TUYftphi00lFhnFZXsV5Tj75zLru3JX1jt7bdT73wsYS6ccNcyOvZpJvNiqbBeUmydK45DBrzIVxDA9CWS94+PTH4rrWT5+OEWURBxwhv9BiKiFrLb60YIp6Q3o=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAgSgAwIBAgIGAT1+4eJ9MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCHdhdGNoZG94MRwwGgYJKoZIhvcNAQkBFg1p
bmZvQG9rdGEuY29tMB4XDTEzMDMxODE5MDE0NVoXDTQzMDMxODE5MDI0NVowgZAxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK
DARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwId2F0Y2hkb3gxHDAaBgkqhkiG
9w0BCQEWDWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/raSnE0EXQ
mPgkSwyv8HIDPpmvU6prdySiWJSB3YztIC29VuneZbT0dFAOjAy6e/3NN7HjvBQU83YjhgBA43+U
f/7kwC2V8e5qi92J/pTrAWPB/UmTbCEVoCkR4BxSXr4bJ3dhk6eIPDGgOiuWjNCMTXoYX+aS1tsA
JDx0bXf5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAfiBOI+/mpP52Qsg6Ea1jVN/mGm4snvKl6Nlh
5sYGhGw5zXBVDU4pI9ulm/8QZsCAlYZXltZ+eif7CRzy2VZvDVMGH3g69AD2xHveYr8UNYSjnLyB
ZPpVJVOysH7UgtBqNcHm0l00g4uUV2d52WcDiz85q/KjTBB9OjRdGVhkcow=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id14123496090473949894445897"
IssueInstant="2013-04-18T08:51:49.819Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/k3gvyf0mGFVVCVQBYTTA</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id14123496090473949894445897">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>D/wZzyBDL0RXwrf7d44mvuysYz0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DCrm/mkLiVsD8dAc4puY/L3GR1bxtDBn6+sTifLgxDGokFbS4PShjA3Ak6mTW1dM48TwXi1oB9Pz++iOP4w6ZVeBj9bWIPJaCATjWn26xBlt3GHaPjiOpUdvG5YwwqCMUlQ1+M0RhJDlkChfZbjPIKXibcP8TBIsj2sekr5sQSI=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAgSgAwIBAgIGAT1+4eJ9MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCHdhdGNoZG94MRwwGgYJKoZIhvcNAQkBFg1p
bmZvQG9rdGEuY29tMB4XDTEzMDMxODE5MDE0NVoXDTQzMDMxODE5MDI0NVowgZAxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK
DARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwId2F0Y2hkb3gxHDAaBgkqhkiG
9w0BCQEWDWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/raSnE0EXQ
mPgkSwyv8HIDPpmvU6prdySiWJSB3YztIC29VuneZbT0dFAOjAy6e/3NN7HjvBQU83YjhgBA43+U
f/7kwC2V8e5qi92J/pTrAWPB/UmTbCEVoCkR4BxSXr4bJ3dhk6eIPDGgOiuWjNCMTXoYX+aS1tsA
JDx0bXf5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAfiBOI+/mpP52Qsg6Ea1jVN/mGm4snvKl6Nlh
5sYGhGw5zXBVDU4pI9ulm/8QZsCAlYZXltZ+eif7CRzy2VZvDVMGH3g69AD2xHveYr8UNYSjnLyB
ZPpVJVOysH7UgtBqNcHm0l00g4uUV2d52WcDiz85q/KjTBB9OjRdGVhkcow=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">OhadR#watchdox.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="a32a5d9jfge33c9b46gdaddid8gd41b"
NotOnOrAfter="2013-04-18T08:56:49.819Z"
Recipient="http://srv101.watchdox.net/spring-security-saml2-sample/saml/SSO/alias/defaultAlias"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-04-18T08:46:49.819Z"
NotOnOrAfter="2013-04-18T08:56:49.819Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>com.watchdox.ohad</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-04-18T08:51:49.819Z"
SessionIndex="a32a5d9jfge33c9b46gdaddid8gd41b"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for any answer!
If it might be helpful to someone in the future - I got it working now !!
I set all 3 URLs to the same one (as you suggested a week ago):
https://srv101.watchdox.net:443/spring-security-saml2-sample/saml/SSO/alias/defaultAlias
so what is the difference, and why is it working now? because till now the URL I entered was http and not https (and without the 443):
http://srv101.watchdox.net/spring-security-saml2-sample/saml/SSO/alias/defaultAlias

With Rails, How can I expire the Browser's cache?

I have an issue with my Rails application and the browser's cache: When a user logs out of the authenticated section of the site, they are still able to use the back button on the browser to see the authenticated page. I do not want to allow this.
How can I expire the cache and force it to reload.
Thank you
The following headers should do that. Whatever page you're trying protect, add them there.
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: "now"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Obviously, the now needs to be dynamic.
Just to be safe, you might also want to specify
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
in your pages.

Resources