-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Using Spring Security, i allow people in my web app.
Apart from the login URL, all user action is done within one unique URL (the url never changes, all happens on 1 page)
On log off, i do
Executions.sendRedirect("/j_spring_security_logout");
which brings you back to a login URL.
However, how do I prevent the user pressing BACK and seeing the main page again (with confidential info) without login in?
I tried to open the page with visible=false, and then after rendering turn the visibility on.
That should work, since the browser only remembers the non-visible page in its history.
How do i change the visibility after rendering a window ?
Help is very much appreciated. Thanks
What's in your ApplicationContext-security.xml ?
<http auto-config="true" access-denied-page="/login.zul?error=1">
<intercept-url pattern="/**/login.*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**/*.zul" access="IS_AUTHENTICATED_REMEMBERED" />
<form-login login-page="/login.jsp" default-target-url="/application.zul" authentication-failure-url="/login.jsp?failed"/>
<logout logout-success-url="/login.jsp?bye"/>
</http>
Mine follows...
I think you are missing the "invalidate-session" property...
<!-- - Detalle de las paginas a proteger --> <security:http auto-config="false"> <security:logout invalidate-session="true" logout-success-url="/login.zul" /> <security:intercept-url pattern="/main.zul" access="ROLE_G_VON_IN_ONDP"/> <security:intercept-url pattern="/basicos/**" access="ROLE_G_VON_IN_ONDP" /> <security:intercept-url pattern="/cliente/**" access="ROLE_G_VON_IN_ONDP" /> <security:intercept-url pattern="/empresa/**" access="ROLE_G_VON_IN_ONDP" /> <security:intercept-url pattern="/solicitud/**" access="ROLE_G_VON_IN_ONDP" /> <security:form-login login-page="/login.zul" default-target-url="/main.zul" authentication-failure-url="/login.zul?login_error=1"/> <security:anonymous />
Gracias Yamil, I have added invalidate-session="true" since it looks good to do,
but it doesn't help in this particular request. The browser (opera, firefox) still allow to go back in history (back button) and see what was on that particular URL initially.
I have however found a work around. This opens with a white screen, after half a second it shows content. After logging off, pressing back shows the white screen, no data revealed ! That's more secure... isn't it? I was however looking for a method in Window that could do that (kinda doFinally method that is executed after rendering).
<zk>
<timer id="timer" delay="500">
<attribute name="onTimer">
root.visible = true;
</attribute>
</timer>
<window id="root" visible="false">
... confidential content goes here ...
</window>
</zk>
Asked: 2009-10-09 12:58:36 +0800
Seen: 676 times
Last updated: Oct 12 '09