避免 JSF Web 应用程序上的后退按钮 [英] Avoid back button on JSF web application
问题描述
我正在显示非常敏感的数据.用户从我的服务器注销后,我不希望其他用户能够看到点击浏览器后退按钮的数据.
I am showing VERY sensitive data. After the user logs out from my server I don't want another user to be able to see the data hitting the Back button of the browser.
我怎样才能做到这一点?
How can I achieve this?
推荐答案
默认情况下,浏览器的后退按钮根本不会向服务器发送 HTTP 请求.相反,它从浏览器缓存中检索页面.这本质上是无害的,但确实让最终用户感到困惑,因为他/他错误地认为它确实来自服务器.
By default, the browser's back button does not send a HTTP request to the server at all. Instead, it retrieves the page from the browser cache. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.
您需要做的就是指示浏览器不要缓存受限页面.您可以使用一个简单的 servlet 过滤器来做到这一点,它设置了 适当的响应头:
All you need to do is to instruct the browser to not cache the restricted pages. You can do this with a simple servlet filter which sets the appropriate response headers:
@WebFilter
public class NoCacheFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
}
chain.doFilter(req, res);
}
// ...
}
(请注意,此过滤器会跳过 JSF 资源请求,其缓存实际上需要单独配置)
为了让它在每个 JSF 请求上运行,在过滤器类上设置以下注解,假设 FacesServletweb.xml 中是 facesServlet:
To get it to run on every JSF request, set the following annotation on the filter class, assuming that the value of the <servlet-name> of the FacesServlet in your webapp's web.xml is facesServlet:
@WebFilter(servletNames={"facesServlet"})
或者,让它只在特定的 URL 模式上运行,比如匹配受限页面的那个,例如/app/*、/private/*、/secured/*等,在过滤器类上设置如下注解:
Or, to get it to run on a specific URL pattern only, such the one matching the restricted pages, e.g. /app/*, /private/*, /secured/*, or so, set the following annotation on the filter class:
@WebFilter("/app/*")
您甚至可以在检查登录用户的过滤器中执行相同的工作(如果您已经拥有).
You could even do the very same job in a filter which checks the logged-in user, if you already have one.
如果您碰巧使用 JSF 实用程序库 OmniFaces,那么您也可以直接获取它的 CacheControlFilter.这也透明地考虑了 JSF 资源.
If you happen to use JSF utility library OmniFaces, then you could also just grab its CacheControlFilter. This also transparently takes JSF resources into account.
这篇关于避免 JSF Web 应用程序上的后退按钮的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
