Page not secured after log out and click back button

Question

In my previous employment I was experiencing a well known problem of being unable to prevent the user from being able to navigate the site using the back button after logging out. My technologies include Spring, JavaScript and potentially the Mobile module of the Java AJAX library ZK. Besides navigating using the back button, authorised access worked otherwise. I no longer have access to the application code. The application was a mobile one of which I was not the original author.

I've tried the following common solutions:

• Have tried adding a WebContentInterceptor (as instructed here )
• Defined my own filter using a combination of this filter question and this answer about inserting additional filters. Filter code is not executed during debug
• Added RequestMappingHandlerAdapter to set cacheSeconds to 0

We have the following definition in t2-spring-security-context.xml:

<http auto-config="true">
    <intercept-url pattern="/mobile-index*" access="ROLE_ADMIN"/>
    <intercept-url pattern="/t2-metrics*" access="ROLE_ADMIN"/>
    <intercept-url pattern="/t2-monitor*" access="ROLE_ADMIN"/>
    <form-login login-page="/login.jsp" authentication-failure-url="/loginerror.jsp"
                default-target-url="/mobile-index.jsp"/>
    <logout logout-success-url="/login.jsp" invalidate-session="true"/>

</http>

Other details about our implementation:

• Java methods are called using @RequestMapping from JavaScript on a class annotated as @Controller (I.E. t2-metrics.jsp has JS to fire to URL matching request mapping)
• Tried adding security:global-method-security to application context and role annotation to method
• Have scriptlet code to disable caching to the JSP pages and that did nothing. Also, fired up the application in debug within IntelliJ and a debug point within my define filter is not hit.
• Once they have used the back button to return into the application the user can still navigate around the application.

My only remaining idea was that the problem involves our client code (JavaScript) or libraries (Incorrect integration with Spring Security) for from the view because debug did not hitting the Spring Security filter chain.

Answer 1

Use the below code in servlet-context file

    <mvc:interceptors>
        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
                <property name="cacheSeconds" value="0"/>
                <property name="useExpiresHeader" value="false"/>
                <property name="useCacheControlHeader" value="true"/>
                <property name="useCacheControlNoStore" value="true"/>
            </bean>     
        </mvc:interceptors>

It will work same as below code in jsp page:

  response.setHeader("pragma", "no-cache");              
  response.setHeader("Cache-control", "no-cache, no-store, must-revalidate");             
  response.setHeader("Expires", "0");