Avoid back button on JSF web application

前端未结

关注

 2  1848

伪装坚强ぢ 2020-11-22 08:23

I am showing VERY sensitive data. After the user logs out from my server I don\'t want another user to be able to see the data hitting the Back button of the browser.

2条回答

旧时难觅i (楼主)

2020-11-22 08:53

I also found another good solution.

In faces-config.xml add


    client.security.CacheControlPhaseListener

And implement the following class:

package client.security;

import javax.faces.context.FacesContext;
import javax.faces.event.PhaseEvent;
import javax.faces.event.PhaseId;
import javax.faces.event.PhaseListener;
import javax.servlet.http.HttpServletResponse;

@SuppressWarnings("serial")
public class CacheControlPhaseListener implements PhaseListener
{
    public PhaseId getPhaseId()
    {
        return PhaseId.RENDER_RESPONSE;
    }

    public void afterPhase(PhaseEvent event)        
    {
    }

    public void beforePhase(PhaseEvent event)
    {
       FacesContext facesContext = event.getFacesContext();
       HttpServletResponse response = (HttpServletResponse) facesContext
                .getExternalContext().getResponse();
       response.addHeader("Pragma", "no-cache");
       response.addHeader("Cache-Control", "no-cache");
       // Stronger according to blog comment below that references HTTP spec
       response.addHeader("Cache-Control", "no-store");
       response.addHeader("Cache-Control", "must-revalidate");
       // some date in the past
       response.addHeader("Expires", "Mon, 8 Aug 2006 10:00:00 GMT");
    }
}

0 讨论(0)

查看其它2个回答