Spring Security注销后退按钮
|
Spring Security是否有办法防止出现最后一个问题?我正在使用3.0.5
用户登录我的网站
-用户转到网站上的任何页面,然后单击注销
-登出链接使用户会话无效,并将其发送到我网站的登录页面
-在同一浏览器中,用户导航到新网站(例如cnn.com)
-用户单击“后退”按钮,他们进入我的登录页面
-用户再次单击“后退”按钮,它们最终出现在应用程序中可能包含我们不希望存在的数据的页面上。如果他们单击页面上的任何链接,则立即将其发送到登录页面,但是他们可以从浏览器缓存中查看缓存的页面……以任何不让他们查看此内容的方式?
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<beans:beans
xmlns=\"http://www.springframework.org/schema/security\"
xmlns:beans=\"http://www.springframework.org/schema/beans\"
xmlns:util=\"http://www.springframework.org/schema/util\"
xmlns:context=\"http://www.springframework.org/schema/context\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:schemaLocation=\"http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd\">
<context:annotation-config />
<context:component-scan base-package=\"dc\" />
<global-method-security />
<http access-denied-page=\"/auth/denied.html\">
<intercept-url filters=\"none\" pattern=\"/javax.faces.resource/**\" />
<intercept-url filters=\"none\" pattern=\"/services/rest-api/1.0/**\" />
<intercept-url filters=\"none\" pattern=\"/preregistered/*\"/>
<intercept-url
pattern=\"/**/*.xhtml\"
access=\"ROLE_NONE_GETS_ACCESS\" />
<intercept-url
pattern=\"/auth/*\"
access=\"ROLE_ANONYMOUS,ROLE_USER\"/>
<intercept-url
pattern=\"/preregistered/*\"
access=\"ROLE_ANONYMOUS,ROLE_USER\"/>
<intercept-url
pattern=\"/registered/*\"
access=\"ROLE_USER\"
requires-channel=\"http\"/>
<form-login
login-processing-url=\"/j_spring_security_check.html\"
login-page=\"/auth/login.html\"
default-target-url=\"/registered/home.html\"
authentication-failure-url=\"/auth/login.html\" />
<logout invalidate-session=\"true\"
logout-url=\"/auth/logout.html\"
success-handler-ref=\"DCLogoutSuccessHandler\"/>
<anonymous username=\"guest\" granted-authority=\"ROLE_ANONYMOUS\"/>
<custom-filter after=\"FORM_LOGIN_FILTER\" ref=\"xmlAuthenticationFilter\" />
<session-management session-fixation-protection=\"none\"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias=\"am\">
<authentication-provider user-service-ref=\"userManager\">
<password-encoder ref=\"passwordEncoder\" />
</authentication-provider>
<authentication-provider ref=\"xmlAuthenticationProvider\" />
</authentication-manager>
</beans:beans>
没有找到相关结果
已邀请:
5 个回复
铰齐插
package com.dc.api.service.impl; import javax.servlet.*; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Date; public class CacheControlFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader(\"Expires\", \"Tue, 03 Jul 2001 06:00:00 GMT\"); resp.setHeader(\"Last-Modified\", new Date().toString()); resp.setHeader(\"Cache-Control\", \"no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0\"); resp.setHeader(\"Pragma\", \"no-cache\"); chain.doFilter(request, response); } @Override public void destroy() {} @Override public void init(FilterConfig arg0) throws ServletException {} }痴浪墨
<security:http auto-config=\"true\" use-expressions=\"true\"> <security:headers > <security:cache-control /> <security:hsts/> </security:headers>很缴
<bean class=\"org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\"> <property name=\"cacheSeconds\" value=\"0\" /> </bean><bean class=\"org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter\"> <property name=\"cacheSeconds\" value=\"0\" /> </bean>徘廷
这样用户将无法访问其他应用页面 注销后使用浏览器的后退和前进按钮。耐扫鹤胶鞭
,请确保不再需要部分。它(看起来像)添加了HTTP基本身份验证,该身份验证无法处理协议注销!这样一来,您可以获取注销URL,但是单击后退按钮只会使您返回,因为您实际上并未注销。