避免背部按钮JSF的Web应用程序 [英] Avoid back button on JSF web application
问题描述
我显示非常敏感的数据。用户从我的服务器注销后,我不希望其他用户能够看到的数据打浏览器的后退按钮。
I am showing VERY sensitive data. After the user logs out from my server I don't want another user to be able to see the data hitting the Back button of the browser.
我怎样才能做到这一点?
How can I achieve this?
推荐答案
默认情况下,浏览器的后退按钮根本不发送HTTP请求到服务器。相反,它检索从浏览器缓存的页面。这基本上是无害的,但确实混乱终端用户,因为他/她错误地认为它真的来自服务器。
By default, the browser's back button does not send a HTTP request to the server at all. Instead, it retrieves the page from the browser cache. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.
所有你需要做的是指示浏览器不缓存限制页面。你可以用一个简单的Servlet过滤器这台<一个做到这一点href=\"http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers\">appropriate响应头的:
All you need to do is to instruct the browser to not cache the restricted pages. You can do this with a simple servlet filter which sets the appropriate response headers:
@WebFilter
public class NoCacheFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
}
chain.doFilter(req, res);
}
// ...
}
的(注意这过滤器跳过JSF资源请求,缓存的实际需要来单独配置的)的
要得到它的每一个JSF请求运行,设置过滤器类以下标注,假设的&LT的价值; servlet的名称&gt;
的 FacesServlet的
在你的webapp的的web.xml
是 FacesServlet的
:
To get it to run on every JSF request, set the following annotation on the filter class, assuming that the value of the <servlet-name>
of the FacesServlet
in your webapp's web.xml
is facesServlet
:
@WebFilter(servletNames={"facesServlet"})
或者,要让它在一个特定的URL模式只运行,这样的一个匹配受限制的页面,例如 /应用/ *
, /私营/ *
, /安全/ *
,左右,设置以下标注的过滤器类:
Or, to get it to run on a specific URL pattern only, such the one matching the restricted pages, e.g. /app/*
, /private/*
, /secured/*
, or so, set the following annotation on the filter class:
@WebFilter("/app/*")
您甚至可以做同样的工作在一个过滤器检查登录的用户,如果你已经有一个。
You could even do the very same job in a filter which checks the logged-in user, if you already have one.
如果你碰巧使用JSF工具库 OmniFaces ,那么你也可以只抓住它的 CacheControlFilter
。这也透明地JSF资源考虑在内。
If you happen to use JSF utility library OmniFaces, then you could also just grab its CacheControlFilter
. This also transparently takes JSF resources into account.
- Prevent user from going back to the previous secured page after logout
- Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same
- Is JSF 2.0 View Scope back-button safe?
这篇关于避免背部按钮JSF的Web应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!