According to RFC 2616 Sec 14.8 a cache should not cache responses to requests with an 'Authorization' Header unless specific rules apply.

This is not the case with RESTeasy. It can be verified by issuing a GET on a resource /foo and then issuing the same GET on /foo with 'Authorization':'bar' as the header. The second response MUST be processed by the origin server and ignored by the cache.

The same should happen when 'Cache-Control' is set to 'No-Cache'.