Spring Security Logout

Question

Spring Security Logout

Does spring protection have the ability to prevent the last item below? I am using 3.0.5

-user logs into my site -user goes to any page on the website and logs out -log out disconnects the user’s session and sends it to the login page on my website In one browser, the user goes to a new website (say, cnn. com) -user drops the button, and they land on my login page -user returns the return button again, and they end on the page in the application, which may have data that we don’t want to be there. If they click on any link on the page, they are immediately sent to the login page, but they can view the cached page from the browser cache ... in any way to prevent them from viewing it?

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <context:annotation-config /> <context:component-scan base-package="dc" /> <global-method-security /> <http access-denied-page="/auth/denied.html"> <intercept-url filters="none" pattern="/javax.faces.resource/**" /> <intercept-url filters="none" pattern="/services/rest-api/1.0/**" /> <intercept-url filters="none" pattern="/preregistered/*"/> <intercept-url pattern="/**/*.xhtml" access="ROLE_NONE_GETS_ACCESS" /> <intercept-url pattern="/auth/*" access="ROLE_ANONYMOUS,ROLE_USER"/> <intercept-url pattern="/preregistered/*" access="ROLE_ANONYMOUS,ROLE_USER"/> <intercept-url pattern="/registered/*" access="ROLE_USER" requires-channel="http"/> <form-login login-processing-url="/j_spring_security_check.html" login-page="/auth/login.html" default-target-url="/registered/home.html" authentication-failure-url="/auth/login.html" /> <logout invalidate-session="true" logout-url="/auth/logout.html" success-handler-ref="DCLogoutSuccessHandler"/> <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/> <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" /> <session-management session-fixation-protection="none"/> </http> <!-- Configure the authentication provider --> <authentication-manager alias="am"> <authentication-provider user-service-ref="userManager"> <password-encoder ref="passwordEncoder" /> </authentication-provider> <authentication-provider ref="xmlAuthenticationProvider" /> </authentication-manager> </beans:beans>

+3

spring security

c12 Apr 14 '11 at 23:26

source share

5 answers

To solve this problem, you should add the security xml configuration file:

 <security:http auto-config="true" use-expressions="true"> <security:headers > <security:cache-control /> <security:hsts/> </security:headers>

+3

Ameur fahd Oct 18 '14 at 11:33

source share

In spring 3.0.x

 <bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter"> <property name="cacheSeconds" value="0" /> </bean>

In spring 2.5.x

 <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"> <property name="cacheSeconds" value="0" /> </bean>

+2

george May 06 '12 at 18:19

source share

Yes, I used spring -security 3.2.9.RELEASE and just gave <security:headers /> in one spring configuration file, such as applicationContext.xml, as in the messages above

 <security:http auto-config="true" use-expressions="true"> <security:headers /> </security:http>

so that the user could not go to other application pages using the browser buttons back and forth after logging out.

+1

user1419261 Feb 28 '16 at 21:46

source share

If you, like me, did not work after using the c12 caching filter, and use <security:http auto-config="true"> , you will no longer need auto-config="true" . It (looks like this) adds http basic authentication, which does not handle protocol logging! This leads to the fact that you can get the exit URL, but clicking the "Back" button will simply return you, since you really are not logged out.

0

Almer Feb 05 '13 at 9:38

source share

c12 · Accepted Answer · 2011-04-15T07:23:14+0000

below the filter took care of my situation:

 package com.dc.api.service.impl; import javax.servlet.*; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Date; public class CacheControlFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT"); resp.setHeader("Last-Modified", new Date().toString()); resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0"); resp.setHeader("Pragma", "no-cache"); chain.doFilter(request, response); } @Override public void destroy() {} @Override public void init(FilterConfig arg0) throws ServletException {} }

Spring Security Logout

More articles: