在Spring Security中禁用特定URL的緩存

Question

在我的情況下，我有四種方法可以解決我的問題：

1. 在我的index.html寫元配置並禁用緩存（對我不起作用）
2. 將index.html更改為index.jsp並禁用此處的緩存（對我來說index.jsp ，但是我的客戶組需要index.html）
3. 在web.xml使用過濾器並區分所需的請求並禁用緩存
4. 春季安全

我的問題是我如何使用Spring Security禁用index.html緩存（也許在http標記中使用intercept-url ）

Answer 1

您可以使用Spring Security xml配置有選擇地將沒有緩存頭僅添加到index.html，如下所示：

<security:http>
[intercept-url, etc omitted...]
        <security:headers>
            <!-- selectively applied to dynamic pages only via pattern matching,  -->
            <security:header ref="noCacheHeaders"/>
        </security:headers>
    </security:http>    

<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/index.html"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean>

但是，如果使用Spring Security，通常的模式是默認情況下不對所有頁面設置緩存，然后有選擇地為那些靜態資源關閉這些頁眉

• 不包含敏感數據
• 不是動態的

要完成此功能，您必須顯式定義兩種情況下都希望應用的所有標頭，並通過互補的請求匹配器模式選擇頁面。 例如，在一個應用程序中，在/static及其子目錄下找到靜態的可緩存資源，並且映射到控制器的所有動態頁面均具有.htm擴展名，您可以使用以下配置：

        <security:http>
[...]
<security:headers>
            <!-- selectively applied to static pages only via pattern matching, see DelegatingRequestMatcherHeaderWriter below-->
            <security:header ref="cacheStaticsHeaders" />

            <!-- selectively applied to dynamic pages only via pattern matching, as above, see below -->
            <security:header ref="xXssProtectionHeader" />
            <security:header ref="noCacheHeaders"/>
            <security:header ref="xContentHeader"/>
            <security:header ref="hstsHeader"/>
            <security:header ref="xFrameHeader"/>
        </security:headers>

    </security:http>


    <!-- set far future caching on static resources -->
    <bean id="cacheStaticsHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/static/**"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.web.header.writers.StaticHeadersWriter">
                <constructor-arg name="headers">
                    <list>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="cache-control"></constructor-arg>
                            <constructor-arg name="headerValues" value="max-age=31536000"/>
                        </bean>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="Expires"></constructor-arg>
                            <constructor-arg name="headerValues" value="31536000"/>
                        </bean>

                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
    </bean> 

    <!-- all the following header writers applied to dynamic, shouldn't be cached pages -->
    <bean id="xXssProtectionHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XXssProtectionHeaderWriter"/>
        </constructor-arg>
    </bean> 
    <bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xContentHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="hstsHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.HstsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xFrameHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
        </constructor-arg>
    </bean>