Spring Security注销后退按钮

编程问答 2022-04-25

问题描述

| Spring Security是否有办法防止出现最后一个问题?我正在使用3.0.5 用户登录我的网站 -用户转到网站上的任何页面,然后单击注销 -登出链接使用户会话无效,并将其发送到我网站的登录页面 -在同一浏览器中,用户导航到新网站(例如cnn.com) -用户单击“后退”按钮,他们进入我的登录页面 -用户再次单击“后退”按钮,它们最终出现在应用程序中可能包含我们不希望存在的数据的页面上。如果他们单击页面上的任何链接,则立即将其发送到登录页面,但是他们可以从浏览器缓存中查看缓存的页面……以任何不让他们查看此内容的方式? 
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<beans:beans
    xmlns=\"http://www.springframework.org/schema/security\"
    xmlns:beans=\"http://www.springframework.org/schema/beans\"
    xmlns:util=\"http://www.springframework.org/schema/util\"
    xmlns:context=\"http://www.springframework.org/schema/context\"
    xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
    xsi:schemaLocation=\"http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util
    http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-3.0.xsd\">
    <context:annotation-config />
    <context:component-scan base-package=\"dc\" />
    <global-method-security />
    <http access-denied-page=\"/auth/denied.html\">
         <intercept-url filters=\"none\" pattern=\"/javax.faces.resource/**\" />
         <intercept-url filters=\"none\" pattern=\"/services/rest-api/1.0/**\" />
         <intercept-url filters=\"none\" pattern=\"/preregistered/*\"/>
         <intercept-url
            pattern=\"/**/*.xhtml\"
            access=\"ROLE_NONE_GETS_ACCESS\" />
         <intercept-url
            pattern=\"/auth/*\"
            access=\"ROLE_ANONYMOUS,ROLE_USER\"/>
         <intercept-url
            pattern=\"/preregistered/*\"
            access=\"ROLE_ANONYMOUS,ROLE_USER\"/>
         <intercept-url
            pattern=\"/registered/*\"
            access=\"ROLE_USER\"
            requires-channel=\"http\"/>
        <form-login
            login-processing-url=\"/j_spring_security_check.html\"
            login-page=\"/auth/login.html\"
            default-target-url=\"/registered/home.html\"
            authentication-failure-url=\"/auth/login.html\" />
         <logout invalidate-session=\"true\" 
              logout-url=\"/auth/logout.html\" 
              success-handler-ref=\"DClogoutSuccessHandler\"/>
        <anonymous username=\"guest\" granted-authority=\"ROLE_ANONYMOUS\"/>
        <custom-filter after=\"FORM_LOGIN_FILTER\" ref=\"xmlAuthenticationFilter\" />
        <session-management session-fixation-protection=\"none\"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager alias=\"am\">
        <authentication-provider user-service-ref=\"userManager\">
                <password-encoder ref=\"passwordEncoder\" />
        </authentication-provider>
        <authentication-provider ref=\"xmlAuthenticationProvider\" />
    </authentication-manager>
</beans:beans>
    

解决方法

下面的过滤器照顾了我的情况: 
package com.dc.api.service.impl;

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

public class CacheControlFilter implements Filter {

    public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) throws IOException,ServletException {

        HttpServletResponse resp = (HttpServletResponse) response;
        resp.setHeader(\"Expires\",\"Tue,03 Jul 2001 06:00:00 GMT\");
        resp.setHeader(\"Last-Modified\",new Date().toString());
        resp.setHeader(\"Cache-Control\",\"no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0\");
        resp.setHeader(\"Pragma\",\"no-cache\");

        chain.doFilter(request,response);
    }

    @Override
    public void destroy() {}

    @Override
    public void init(FilterConfig arg0) throws ServletException {}

}
    ,要解决此问题,您必须在安全性xml配置文件中添加: 
<security:http auto-config=\"true\" use-expressions=\"true\">

    <security:headers >
        <security:cache-control />
        <security:hsts/>
    </security:headers>
    ,在春季3.0.x 
<bean class=\"org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\">
    <property name=\"cacheSeconds\" value=\"0\" />
</bean>
在春季2.5.x 
<bean class=\"org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter\">
    <property name=\"cacheSeconds\" value=\"0\" />
</bean>
    ,是的,我使用了spring-security 3.2.9.RELEASE,并像上面的文章一样,在其中一个弹簧配置文件(例如applicationContext.xml文件)中仅给出了“ 5” 
<security:http 
   auto-config=\"true\" use-expressions=\"true\">
   <security:headers />      
</security:http>
这样用户将无法访问其他应用页面                   注销后使用浏览器的后退和前进按钮。     ,如果您像我一样,在使用c12的缓存过滤器后仍无法正常工作,并且使用的是
<security:http auto-config=\"true\">
,请确保不再需要
auto-config=\"true\"
部分。它(看起来像)添加了HTTP基本身份验证,该身份验证无法处理协议注销!这样一来,您可以获取注销URL,但是单击后退按钮只会使您返回,因为您实际上并未注销。     
securityspring后退按钮按钮注销