避免背部按钮JSF的Web应用程序 [英] Avoid back button on JSF web application

问题描述

我显示非常敏感的数据。用户从我的服务器注销后，我不希望其他用户能够看到的数据打浏览器的后退按钮。

I am showing VERY sensitive data. After the user logs out from my server I don't want another user to be able to see the data hitting the Back button of the browser.

我怎样才能做到这一点？

How can I achieve this?

推荐答案

默认情况下，浏览器的后退按钮根本不发送HTTP请求到服务器。相反，它检索从浏览器缓存的页面。这基本上是无害的，但确实混乱终端用户，因为他/她错误地认为它真的来自服务器。

By default, the browser's back button does not send a HTTP request to the server at all. Instead, it retrieves the page from the browser cache. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.

所有你需要做的是指示浏览器不缓存限制页面。你可以用一个简单的Servlet过滤器这台<一个做到这一点href=\"http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers\">appropriate响应头的：

All you need to do is to instruct the browser to not cache the restricted pages. You can do this with a simple servlet filter which sets the appropriate response headers:

@WebFilter
public class NoCacheFilter implements Filter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (!request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
            response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            response.setDateHeader("Expires", 0); // Proxies.
        }

        chain.doFilter(req, res);
    }

    // ...
}

的（注意这过滤器跳过JSF资源请求，缓存的实际需要来单独配置的）的

要得到它的每一个JSF请求运行，设置过滤器类以下标注，假设的＆LT的价值; servlet的名称＆gt; 的 FacesServlet的在你的webapp的的web.xml 是 FacesServlet的：

To get it to run on every JSF request, set the following annotation on the filter class, assuming that the value of the <servlet-name> of the FacesServlet in your webapp's web.xml is facesServlet:

@WebFilter(servletNames={"facesServlet"})

或者，要让它在一个特定的URL模式只运行，这样的一个匹配受限制的页面，例如 /应用/ * ， /私营/ * ， /安全/ * ，左右，设置以下标注的过滤器类：

Or, to get it to run on a specific URL pattern only, such the one matching the restricted pages, e.g. /app/*, /private/*, /secured/*, or so, set the following annotation on the filter class:

@WebFilter("/app/*")

您甚至可以做同样的工作在一个过滤器检查登录的用户，如果你已经有一个。

You could even do the very same job in a filter which checks the logged-in user, if you already have one.

如果你碰巧使用JSF工具库 OmniFaces ，那么你也可以只抓住它的 CacheControlFilter 。这也透明地JSF资源考虑在内。

If you happen to use JSF utility library OmniFaces, then you could also just grab its CacheControlFilter. This also transparently takes JSF resources into account.

• $p$pvent用户在注销
后要回previous担保页

• Authorization重定向会话过期上提交一个JSF表单无法正常工作，页面保持不变


• 是JSF 2.0视图作用域后退按钮安全吗？

• Prevent user from going back to the previous secured page after logout
• Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same
• Is JSF 2.0 View Scope back-button safe?

这篇关于避免背部按钮JSF的Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！