在Spring Security中禁用特定URL的缓存

Question

在我的情况下，我有四种方法可以解决我的问题：

1. 在我的index.html写元配置并禁用缓存（对我不起作用）
2. 将index.html更改为index.jsp并禁用此处的缓存（对我来说index.jsp ，但是我的客户组需要index.html）
3. 在web.xml使用过滤器并区分所需的请求并禁用缓存
4. 春季安全

我的问题是我如何使用Spring Security禁用index.html缓存（也许在http标记中使用intercept-url ）

Answer 1

您可以使用Spring Security xml配置有选择地将没有缓存头仅添加到index.html，如下所示：

<security:http>
[intercept-url, etc omitted...]
        <security:headers>
            <!-- selectively applied to dynamic pages only via pattern matching,  -->
            <security:header ref="noCacheHeaders"/>
        </security:headers>
    </security:http>    

<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/index.html"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean>

但是，如果使用Spring Security，通常的模式是默认情况下不对所有页面设置缓存，然后有选择地为那些静态资源关闭这些页眉

• 不包含敏感数据
• 不是动态的

要完成此功能，您必须显式定义两种情况下都希望应用的所有标头，并通过互补的请求匹配器模式选择页面。 例如，在一个应用程序中，在/static及其子目录下找到静态的可缓存资源，并且映射到控制器的所有动态页面均具有.htm扩展名，您可以使用以下配置：

        <security:http>
[...]
<security:headers>
            <!-- selectively applied to static pages only via pattern matching, see DelegatingRequestMatcherHeaderWriter below-->
            <security:header ref="cacheStaticsHeaders" />

            <!-- selectively applied to dynamic pages only via pattern matching, as above, see below -->
            <security:header ref="xXssProtectionHeader" />
            <security:header ref="noCacheHeaders"/>
            <security:header ref="xContentHeader"/>
            <security:header ref="hstsHeader"/>
            <security:header ref="xFrameHeader"/>
        </security:headers>

    </security:http>


    <!-- set far future caching on static resources -->
    <bean id="cacheStaticsHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/static/**"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.web.header.writers.StaticHeadersWriter">
                <constructor-arg name="headers">
                    <list>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="cache-control"></constructor-arg>
                            <constructor-arg name="headerValues" value="max-age=31536000"/>
                        </bean>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="Expires"></constructor-arg>
                            <constructor-arg name="headerValues" value="31536000"/>
                        </bean>

                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
    </bean> 

    <!-- all the following header writers applied to dynamic, shouldn't be cached pages -->
    <bean id="xXssProtectionHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XXssProtectionHeaderWriter"/>
        </constructor-arg>
    </bean> 
    <bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xContentHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="hstsHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.HstsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xFrameHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
        </constructor-arg>
    </bean>