Spring Boot Web应用程序没有缓存控制头。

huangapple
go评论82阅读模式
英文:

Spring boot web application does not have cache-control header

问题

我正在使用Spring Boot应用程序,有一个要求是通过禁用网页之间的缓存来启用安全性。
据我了解,默认情况下,Spring Security会为我们设置特定的缓存控制头值,无需我们配置任何内容。

但是对于我的Web应用程序,以下响应头未出现。
Cache-Control","no-store"
Pragma","no-cache"
Expires","0"

我尝试使用拦截器(实现HandlerInterceptor)设置它们,并在preHandle、postHandle和afterCompletionMethod中添加以下代码。
response.setHeader("Cache-Control", "no-store"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setHeader("Expires", "0"); // 代理。

尽管控制权传递到这些方法并设置了标头,但当我检查Web浏览器时,我看不到这些标头。

可能的原因是什么?

英文:

I am using a Spring boot application and there is a requirement to enable security by disabling the caching between the web-pages.
As I understand, by default, Spring Security sets specific cache-control header values for us, without us having to configure anything.

But for my web application, the following response headers are not present.
Cache-Control", "no-store"
Pragma", "no-cache"
Expires", "0"
I have tried setting them using an interceptor(implementing HandlerInterceptor) and adding the following code in the preHandle, postHandle and afterCompletionMethod.

    response.setHeader("Cache-Control", "no-store"); // HTTP 1.1.
    response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
    response.setHeader("Expires", "0"); // Proxies.

Although the control comes to these methods and the header is set, when I inspect the web-browser, I don't see these headers.

What could be the reason?

答案1

得分: 3

以下是翻译好的部分:

有不同的方法来设置标头。

我建议使用过滤器或配置来设置它。

配置

默认情况下,Spring Boot 设置安全标头。通过.defaultsDisabled(),您可以禁用它们并有选择地激活所需的标头。

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            // 除非明确列出,否则不要使用任何默认标头
            .defaultsDisabled()
            .cacheControl();
    }
}

将标头设置为以下设置:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

有关配置的更多详细信息,请参阅文档:https://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/headers.html

或者,您可以使用过滤器。

过滤器

@WebFilter("/filter-response-header/*")
public class AddResponseHeaderFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, 
      FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Cache-Control", "no-store");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setHeader("Expires", "0");
        chain.doFilter(request, response);
    }
}

对于单个响应

HttpServletResponse:

HttpServletResponse response;
response.addHeader("Cache-Control", "no-store");
response.addHeader("Pragma", "no-cache");
response.addHeader("Expires", "0");

要了解更多,请参阅此处:https://www.baeldung.com/spring-response-header

英文:

There are different types of setting the header.

I would suggest to set it either with a filter or the configuration.

Configuration

By default spring-boot sets security headers. With the .defaultsDisabled() you disable them and can selective activate the wanted headers.

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
	http
	// ...
	.headers()
		// do not use any default headers unless explicitly listed
		.defaultsDisabled()
		.cacheControl();
}
}

Will set the header to following settings:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

For more detail of the configuration here is the doc. https://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/headers.html

Alternative you can yous a filter.

Filter

@WebFilter("/filter-response-header/*")
public class AddResponseHeaderFilter implements Filter {
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, 
      FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader(
          "Cache-Control", "no-store");
httpServletResponse.setHeader(
              "Pragma", "no-cache");
httpServletResponse.setHeader(
              "Expires", "0");
        chain.doFilter(request, response);
    }

For a single response

HttpServletResponse:

HttpServletResponse response
response.addHeader("Cache-Control", "no-store");
response.addHeader("Pragma", "no-cache");
response.addHeader("Expires", "0");

for more have a look here: https://www.baeldung.com/spring-response-header

huangapple
  • 本文由 发表于 2020年7月29日 20:45:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/63153944.html
  • cache-control
  • java
  • security
  • spring-boot
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定