spring

Spring security and browser back button

In this post i will show you simple way to deal with Spring security and browser back button when logout web application. I will reuse code from the post Spring security using JDBC authentication. You can download by click on this link. We will modify from this source code to demo for this post.

1. Symptom

Download source code and import to Eclipse IDE, run web application and navigate to this url http://localhost:8080/spring.

login-page

Login with user devjav/devjav

home-page

Click to logout it will bring you to login page.

Now we click back button and we will see as below

home-page

As you see we can back and forward through all pages that we have already visited. What happends if someone can do that and see our sensitive secret information? Obviously it is not good. This happend cause broswer cache all pages we visit on local and browser can navigate back without notice of server. Later on this post i will guide you how to avoid that with Spring MVC.

2. Solution

To avoid above issue we must directive for browser do not cache pages so every time you click to back button on browser it will connect to server to get new version of the pages so Spring security can validate and check security.

We update Spring servlet Dispatcher configuration file servlet-context.xml as below:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:context="http://www.springframework.org/schema/context"
  xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

  <!-- DispatcherServlet Context: defines this servlet's request-processing 
    infrastructure -->

  <!-- Enables the Spring MVC @Controller programming model -->
  <annotation-driven />

  <!-- Handles HTTP GET requests for /resources/** by efficiently serving 
    up static resources in the ${webappRoot}/resources directory -->
  <resources mapping="/resources/**" location="/resources/" />
  <beans:bean
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
  </beans:bean>
  <interceptors>
    <beans:bean id="webContentInterceptor"
      class="org.springframework.web.servlet.mvc.WebContentInterceptor">
      <beans:property name="cacheSeconds" value="0" />
      <beans:property name="useExpiresHeader" value="true" />
      <beans:property name="useCacheControlHeader" value="true" />
      <beans:property name="useCacheControlNoStore" value="true" />
    </beans:bean>
  </interceptors>
  <context:component-scan base-package="com.devjav.spring" />

</beans:beans>

Now run again application you will see you cannot go back to main page after logout. When you use back button it alway take you to login page.

Source Code

You can download source code here

5 thoughts on “Spring security and browser back button”

      1. No problem…also note that security headers is on by default with Java Configuration but requires a little extra work with XML (to remain passive). In Spring Security 4, security headers will be on by default for XML configuration too.

  1. Pingback: Java Dev world

Leave a Reply