问题
in my situation i have four way to solve my problem:
- write meta config in my
index.htmland disable caching (doesn't work for me) - change
index.htmltoindex.jspand disable caching like here (work for me but my client Group need index.html) - using a filter in
web.xmland distinguish the desired request and disable caching - Spring Security
my question is how can i use Spring Security to disable caching for index.html
(maybe using intercept-url in http tag)
回答1:
You can selectively add no cache headers to just index.html using Spring Security xml configuartion like this:
<security:http>
[intercept-url, etc omitted...]
<security:headers>
<!-- selectively applied to dynamic pages only via pattern matching, -->
<security:header ref="noCacheHeaders"/>
</security:headers>
</security:http>
<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/index.html"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
</constructor-arg>
</bean>
However, the usual pattern if using Spring Security is to set no cache by default to all pages, and then selectively turn those headers off for static resources that
- don't contain sensitive data
- aren't dynamic
To accomplish this feat, you have to explicitly define all headers you wish to apply in both cases, and select the pages via complementary request matcher patterns. For example, in an app where static, cacheable resources are found under /static and its subdirectories, and all dynamic pages mapped to controllers have the .htm extension, you can use this configuration:
<security:http>
[...]
<security:headers>
<!-- selectively applied to static pages only via pattern matching, see DelegatingRequestMatcherHeaderWriter below-->
<security:header ref="cacheStaticsHeaders" />
<!-- selectively applied to dynamic pages only via pattern matching, as above, see below -->
<security:header ref="xXssProtectionHeader" />
<security:header ref="noCacheHeaders"/>
<security:header ref="xContentHeader"/>
<security:header ref="hstsHeader"/>
<security:header ref="xFrameHeader"/>
</security:headers>
</security:http>
<!-- set far future caching on static resources -->
<bean id="cacheStaticsHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/static/**"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.StaticHeadersWriter">
<constructor-arg name="headers">
<list>
<bean class="org.springframework.security.web.header.Header">
<constructor-arg name="headerName" value="cache-control"></constructor-arg>
<constructor-arg name="headerValues" value="max-age=31536000"/>
</bean>
<bean class="org.springframework.security.web.header.Header">
<constructor-arg name="headerName" value="Expires"></constructor-arg>
<constructor-arg name="headerValues" value="31536000"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
<!-- all the following header writers applied to dynamic, shouldn't be cached pages -->
<bean id="xXssProtectionHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/*.htm"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.XXssProtectionHeaderWriter"/>
</constructor-arg>
</bean>
<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/*.htm"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
</constructor-arg>
</bean>
<bean id="xContentHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/*.htm"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter"/>
</constructor-arg>
</bean>
<bean id="hstsHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/*.htm"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.HstsHeaderWriter"/>
</constructor-arg>
</bean>
<bean id="xFrameHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/*.htm"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
</constructor-arg>
</bean>
来源:https://stackoverflow.com/questions/29530575/disable-caching-for-specific-url-in-spring-security