在 Spring Security 中禁用特定 url 的缓存

Question

在我的情况下，我有四种方法可以解决我的问题：

1. 在我的index.html 中写入元配置并禁用缓存（对我不起作用）
2. 将 index.html 更改为 index.jsp 并禁用像 here 这样的缓存（对我有用，但我的客户组需要 index.html）
3. 在web.xml 中使用过滤器并区分所需的请求并禁用缓存
4. Spring 安全

我的问题是如何使用 Spring Security 禁用 index.html 的缓存 （可能在http 标签中使用intercept-url）

Answer 1

您可以使用 Spring Security xml 配置有选择地不向 index.html 添加缓存标头，如下所示：

<security:http>
[intercept-url, etc omitted...]
        <security:headers>
            <!-- selectively applied to dynamic pages only via pattern matching,  -->
            <security:header ref="noCacheHeaders"/>
        </security:headers>
    </security:http>    

<bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/index.html"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean>

但是，如果使用 Spring Security，通常的模式是默认为所有页面设置不缓存，然后有选择地关闭那些静态资源的标题

• 不包含敏感数据
• 不是动态的

要实现这一壮举，您必须明确定义希望在这两种情况下应用的所有标头，并通过互补的请求匹配器模式选择页面。例如，在一个应用中，静态、可缓存资源位于/static 及其子目录下，并且映射到控制器的所有动态页面都具有.htm 扩展名，您可以使用此配置：

        <security:http>
[...]
<security:headers>
            <!-- selectively applied to static pages only via pattern matching, see DelegatingRequestMatcherHeaderWriter below-->
            <security:header ref="cacheStaticsHeaders" />

            <!-- selectively applied to dynamic pages only via pattern matching, as above, see below -->
            <security:header ref="xXssProtectionHeader" />
            <security:header ref="noCacheHeaders"/>
            <security:header ref="xContentHeader"/>
            <security:header ref="hstsHeader"/>
            <security:header ref="xFrameHeader"/>
        </security:headers>

    </security:http>


    <!-- set far future caching on static resources -->
    <bean id="cacheStaticsHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/static/**"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.web.header.writers.StaticHeadersWriter">
                <constructor-arg name="headers">
                    <list>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="cache-control"></constructor-arg>
                            <constructor-arg name="headerValues" value="max-age=31536000"/>
                        </bean>
                        <bean class="org.springframework.security.web.header.Header">
                            <constructor-arg name="headerName" value="Expires"></constructor-arg>
                            <constructor-arg name="headerValues" value="31536000"/>
                        </bean>

                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
    </bean> 

    <!-- all the following header writers applied to dynamic, shouldn't be cached pages -->
    <bean id="xXssProtectionHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XXssProtectionHeaderWriter"/>
        </constructor-arg>
    </bean> 
    <bean id="noCacheHeaders" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.CacheControlHeadersWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xContentHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="hstsHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.HstsHeaderWriter"/>
        </constructor-arg>
    </bean> 
        <bean id="xFrameHeader" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
        <constructor-arg>
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg value="/**/*.htm"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
        </constructor-arg>
    </bean>