Do any standards for interaction between HTTP cache and request authorization exist?
Let's imagine the case: different urls of a site are protected by a role-based authorization system. How to combine caching of content with authorization of requests? Is there any RFC-asserted approach?
FoS describes the approach when Proxy Cache sends HEAD requests to called GET urls to check accessibility. It seems like the way that doesn't conflict with HTTP RFCs. In RFC 7231 HEAD purpose:
This method can be used for obtaining metadata about the selected representation without transferring the representation data and is often used for testing hypertext links for validity, accessibility, and recent modification.
It seems quite effective but description is incomplete. According to RFC server should send
Cache-Control: no-cacheto prevent caching by other caches from a chain. That architecture looks like coupled - it is non-RFC behavior and so it should be configured manually.On other hand seems like the problem could be solved with
Cache-Control: no-cachedirective and Conditional Requests RFC 7232. This approach is not so effective like the previous one: preconditions should be validated every time. The main advantage that it should work out of box with current proxy engines. I didn't find significant contradictions with RFC but IMO Conditional Requests are not designed for a request authorization.Some hacks could be applied also. Does HTTP define mechanics for such cases? Or at least wide-spread practices?
