避免 JSF Web 应用程序上的后退按钮 [英] Avoid back button on JSF web application
问题描述
我正在显示非常敏感的数据.用户从我的服务器注销后,我不希望其他用户能够看到点击浏览器后退按钮的数据.
I am showing VERY sensitive data. After the user logs out from my server I don't want another user to be able to see the data hitting the Back button of the browser.
我怎样才能做到这一点?
How can I achieve this?
推荐答案
默认情况下,浏览器的后退按钮根本不会向服务器发送 HTTP 请求.相反,它从浏览器缓存中检索页面.这本质上是无害的,但确实让最终用户感到困惑,因为他/他错误地认为它确实来自服务器.
By default, the browser's back button does not send a HTTP request to the server at all. Instead, it retrieves the page from the browser cache. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.
您需要做的就是指示浏览器不要缓存受限页面.您可以使用一个简单的 servlet 过滤器来做到这一点,它设置了 适当的响应头:
All you need to do is to instruct the browser to not cache the restricted pages. You can do this with a simple servlet filter which sets the appropriate response headers:
@WebFilter
public class NoCacheFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
}
chain.doFilter(req, res);
}
// ...
}
(请注意,此过滤器会跳过 JSF 资源请求,其缓存实际上需要单独配置)
为了让它在每个 JSF 请求上运行,在过滤器类上设置以下注解,假设 FacesServlet
web.xml
中是 facesServlet
:
To get it to run on every JSF request, set the following annotation on the filter class, assuming that the value of the <servlet-name>
of the FacesServlet
in your webapp's web.xml
is facesServlet
:
@WebFilter(servletNames={"facesServlet"})
或者,让它只在特定的 URL 模式上运行,比如匹配受限页面的那个,例如/app/*
、/private/*
、/secured/*
等,在过滤器类上设置如下注解:>
Or, to get it to run on a specific URL pattern only, such the one matching the restricted pages, e.g. /app/*
, /private/*
, /secured/*
, or so, set the following annotation on the filter class:
@WebFilter("/app/*")
您甚至可以在检查登录用户的过滤器中执行相同的工作(如果您已经拥有).
You could even do the very same job in a filter which checks the logged-in user, if you already have one.
如果您碰巧使用 JSF 实用程序库 OmniFaces,那么您也可以直接获取它的 CacheControlFilter
.这也透明地考虑了 JSF 资源.
If you happen to use JSF utility library OmniFaces, then you could also just grab its CacheControlFilter
. This also transparently takes JSF resources into account.
这篇关于避免 JSF Web 应用程序上的后退按钮的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!