We have a Spring MVC application with Spring Security around it. In the MVC config we add resourceHandlers for static files together with cache periods. And Spring Security applies the default header configuration.
This has been working fine with Spring versions 4.2.1, 4.2.2, 4.2.3 and 4.2.4 combined with either Spring Security 4.0.2 or 4.0.4. The response contained the correct
header (and no Pragma header).
But after upgrading Spring to 4.2.5 it doesn't work anymore. Now the response contains:
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
I also tried 4.2.6 and 4.3.0 BUILD-SNAPSHOTs, but the result was the same as with 4.2.5. There are a couple of issues related to Cache in 4.2.5 release notes, like
SPR-13817 and SPR-13867, but I'm not sure if these are directly related.