Spring-security-3 浏览器后退按钮问题

Posted

技术标签:

【中文标题】Spring-security-3 浏览器后退按钮问题【英文标题】:Spring-security-3 browser back button issue 【发布时间】:2014-07-07 00:28:51 【问题描述】:

我只是想学习 Spring 安全性 3。在运行 Spring 安全性示例时,后退按钮会将我带到上一页。我想阻止这一切。我只是尝试使用弹簧安全性来做到这一点。但没有解决,请帮忙。这是我的代码

安全文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

    <mvc:annotation-driven />
    <mvc:interceptors>
        <mvc:interceptor>
            <mvc:mapping path="/**/*" />
            <bean id="webContentInterceptor"
                class="org.springframework.web.servlet.mvc.WebContentInterceptor">
                <property name="cacheSeconds" value="0" />
                <property name="useExpiresHeader" value="true" />
                <property name="useCacheControlHeader" value="true" />
                <property name="useCacheControlNoStore" value="true" />
            </bean>
        </mvc:interceptor>
    </mvc:interceptors>
    <security:user-service id="userServiceDAO">
        <security:user name="mukesh" authorities="ROLE_USER"
            password="password" />
    </security:user-service>
    <security:authentication-manager>
        <security:authentication-provider
            user-service-ref="userServiceDAO" />
    </security:authentication-manager>
    <security:http auto-config="false">
        <security:form-login login-page="/login"
            login-processing-url="/secure/sayHello" username-parameter="_username"
            password-parameter="_password" authentication-failure-url="/error"
            default-target-url="/secure/defaultTarget" />
        <security:intercept-url pattern="/login"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/secure/**"
            access="ROLE_USER" />
        <security:logout logout-url="/logout" />
    </security:http>
</beans>

FrontController-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:c="http://www.springframework.org/schema/c" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

    <mvc:annotation-driven />
    <context:component-scan base-package="sample.security" />
    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver"
        p:prefix="/WEB-INF/views/" p:suffix=".jsp">
    </bean>
</beans>

MVC 控制器

package sample.security.controller;


import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class SecureLoginController 

    @RequestMapping(value = "/","/login", method = RequestMethod.GET)
    public String secureLogin() 
    return "login";
    
    @RequestMapping(value = "/secure/defaultTarget", method = RequestMethod.GET)
    public String goToIndexPage(@RequestBody String body) 
        System.out.println("Request body is :"+ body);
        return "success";
    
    @RequestMapping(value = "/error", method = RequestMethod.GET)
    public String goToAgainLogin() 
        return "error";

login.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Login</title>
</head>
<body>
    <h2>Please Login</h2>
    <c:url value="secure/sayHello" var="loginURL" />
    <form action="$loginURL" method="post">
        <label for="username">User Name</label>&nbsp;&nbsp;&nbsp;<input
            type="text" size="30" name="_username" id="username"><br /></br> <label
            for="password">Password</label>&nbsp;&nbsp;&nbsp;<input
            type="password" size="30" name="_password" id="password"><br /></br> <input
            type="submit" value="Submit">
    </form>
</body>
</html>

成功.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>success</title>
</head>
<body>
<h2>I got success</h2>
</body>
</html>

error.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Error page</title>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
</head>
<body>
    <h2>Invalid use name Or password</h2>
    <c:url value="secure/sayHello" var="loginURL" />
    <form action="$loginURL" method="post">
        <label for="username">User Name</label>&nbsp;&nbsp;&nbsp;<input
            type="text" size="30" name="_username" id="username"><br /></br>
        <label for="password">Password</label>&nbsp;&nbsp;&nbsp;<input
            type="password" size="30" name="_password" id="password"><br /></br>
        <input type="submit" value="Submit">
    </form>
</body>
</html>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <display-name>Archetype Created Web Application</display-name>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
    /WEB-INF/configuration/CustomSecurity.xml
    </param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>FrontController</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/configuration/FrontController-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>FrontController</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

请为我提供解决此问题的解决方案。在此先感谢

【问题讨论】:

您的&lt;mvc:interceptors /&gt; 标记应该在FrontController-servlet.xml 文件中,您应该在该文件旁边删除&lt;mvc:mapping /&gt; 标记。您的登录/错误页面不需要控制器 Spring Security 会为您处理它,因此您可以删除它并相应地修改您的配置。 @Deinum 这不起作用,当我尝试删除 '' 时抛出 xml 解析错误 @Denium 由于您的回答没有解决问题,但它给了我一个有价值的提示来纠正问题,我的问题得到了解决 请将解决方案添加到您的问题(或作为答案)以供其他人使用。 @Denium 提示是我需要将所有与安全相关的东西放在父上下文中,我将它们放在父上下文中并且那些开始工作 【参考方案1】:

让 Spring Security 设置一组默认的安全相关标头:

<security:http auto-config="false">
    <security:headers />
    <!-- other stuff ... -->
</security:http>

请注意,这实际上不会阻止用户返回上一页,但会告诉浏览器不要缓存它。

【讨论】:

以上是关于Spring-security-3 浏览器后退按钮问题的主要内容,如果未能解决你的问题,请参考以下文章

防止页面后退(使浏览器后退按钮失效)

浏览器后退按钮处理

java web系统安全退出后点击浏览器后退按钮还会跳转到刚才浏览页面

当我单击浏览器后退按钮或移动设备后退按钮时,保留选定的选项卡

如何检测浏览器后退按钮事件 - 跨浏览器

求HTML网页点击UE浏览器上的后退按钮后能回到上一次浏览的网页的代码!