Spring Security Logout Back Button

Question

Does spring security have a way to prevent the last point below? I'm using 3.0.5

-user logs into my website -user goes to any page in website and clicks log out -log out link invalidates user session and sends them to the login page in my website -in same browser, user navigates to new website (say cnn.com) -user hits back button and they land at my login page -user hits back button again and they end up at the page within the application that may have data that we dont want to be there. If they click any link on the page they immediately get sent to login page, but they can view the cached page from the browser cache...any way to not let them view this?

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
    xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util
    http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-3.0.xsd">
    <context:annotation-config />
    <context:component-scan base-package="dc" />
    <global-method-security />
    <http access-denied-page="/auth/denied.html">
         <intercept-url filters="none" pattern="/javax.faces.resource/**" />
         <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
         <intercept-url filters="none" pattern="/preregistered/*"/>
         <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
         <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS,ROLE_USER"/>
         <intercept-url
            pattern="/preregistered/*"
            access="ROLE_ANONYMOUS,ROLE_USER"/>
         <intercept-url
            pattern="/registered/*"
            access="ROLE_USER"
            requires-channel="http"/>
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/registered/home.html"
            authentication-failure-url="/auth/login.html" />
         <logout invalidate-session="true" 
              logout-url="/auth/logout.html" 
              success-handler-ref="DCLogoutSuccessHandler"/>
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
        <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
        <session-management session-fixation-protection="none"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager alias="am">
        <authentication-provider user-service-ref="userManager">
                <password-encoder ref="passwordEncoder" />
        </authentication-provider>
        <authentication-provider ref="xmlAuthenticationProvider" />
    </authentication-manager>
</beans:beans>

Answer 1

to solve this problem you must add in your security xml config file :

<security:http auto-config="true" use-expressions="true">

    <security:headers >
        <security:cache-control />
        <security:hsts/>
    </security:headers>

Answer 2

the below filter took care of my situation:

package com.dc.api.service.impl;

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

public class CacheControlFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {

        HttpServletResponse resp = (HttpServletResponse) response;
        resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT");
        resp.setHeader("Last-Modified", new Date().toString());
        resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
        resp.setHeader("Pragma", "no-cache");

        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {}

    @Override
    public void init(FilterConfig arg0) throws ServletException {}

}

Answer 3

In spring 3.0.x

<bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
    <property name="cacheSeconds" value="0" />
</bean>

In spring 2.5.x

<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
    <property name="cacheSeconds" value="0" />
</bean>

Answer 4

Yes, I used spring-security 3.2.9.RELEASE and simply giving <security:headers /> in one the spring config file like applicationContext.xml file as in the above posts

<security:http 
   auto-config="true" use-expressions="true">
   <security:headers />      
</security:http>

so that user won't be able to go to visited other app pages using browser back and forward buttons after logout.

Answer 5

If you, like me, didn't get it working after using c12's caching filter, and you are using <security:http auto-config="true"> make sure you don't need the auto-config="true" part anymore. It (looks like it) adds http basic authentication which does not handle logging out by protocol! This results in that you can GET your logout URL but hitting the back button will just bring you back since you're not really logged out.