Page not secured after log out and click back button

Question

In my previous employment I was experiencing a well known problem of being unable to prevent the user from being able to navigate the site using the back button after loggin

Answer 1

Are you rendering the views (JSPs) directly?

If so, add the no-cache directives directly to the JSPs:

<% response.setHeader("Cache-Control", "no-cache"); %>
...

Another (preferred) option is to prevent direct access to the JSPs and render them through a controller:

@RequestMapping(value = "/login", method = GET)
public String renderLoginPage() {
    return "login";
}

with this to resolve the view by name (string returned from the controller method):

with /WEB-IBF/views/login.jsp as the view.

Using the latter approach allows you to use the WebContentInterceptor approach for preventing caching nicely.

Also make sure all requests hit the Spring security filter chain.