Spring Security Logout Back Button

后端未结

关注

 5  920

说谎

Does spring security have a way to prevent the last point below? I\'m using 3.0.5

-user logs into my website -user goes to any page in website and clicks log out -l

相关标签:

5条回答

情深已故

2021-01-03 07:13

In spring 3.0.x

<bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
    <property name="cacheSeconds" value="0" />
</bean>

In spring 2.5.x

<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
    <property name="cacheSeconds" value="0" />
</bean>

0 讨论(0)

情深已故

2021-01-03 07:21

to solve this problem you must add in your security xml config file :

<security:http auto-config="true" use-expressions="true">

    <security:headers >
        <security:cache-control />
        <security:hsts/>
    </security:headers>

0 讨论(0)

感动是毒

2021-01-03 07:22

If you, like me, didn't get it working after using c12's caching filter, and you are using <security:http auto-config="true"> make sure you don't need the auto-config="true" part anymore. It (looks like it) adds http basic authentication which does not handle logging out by protocol! This results in that you can GET your logout URL but hitting the back button will just bring you back since you're not really logged out.

0 讨论(0)
发布评论:

提交评论
- 加载中...
灰色年华

2021-01-03 07:22
Yes, I used spring-security 3.2.9.RELEASE and simply giving <security:headers /> in one the spring config file like applicationContext.xml file as in the above posts
```
<security:http 
   auto-config="true" use-expressions="true">
   <security:headers />      
</security:http>
```
so that user won't be able to go to visited other app pages using browser back and forward buttons after logout.
0 讨论(0)
发布评论:

提交评论
- 加载中...

遇见更好的自我

2021-01-03 07:37

the below filter took care of my situation:

package com.dc.api.service.impl;

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

public class CacheControlFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {

        HttpServletResponse resp = (HttpServletResponse) response;
        resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT");
        resp.setHeader("Last-Modified", new Date().toString());
        resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
        resp.setHeader("Pragma", "no-cache");

        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {}

    @Override
    public void init(FilterConfig arg0) throws ServletException {}

}

0 讨论(0)