The case is easy: user clicks logout, goes to LogoutFilter and:
案例很简单:用户点击退出,转到LogoutFilter并:
HttpServletRequest hreq = (HttpServletRequest) request;
hreq.getSession(false).invalidate();
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.reset();
httpResponse.setHeader("Cache-Control", "no-cache");
httpResponse.setHeader("Pragma", "no-cache");
httpResponse.setHeader("Cache-Control", "no-store");
httpResponse.setHeader("Cache-Control", "must-revalidate");
httpResponse.setDateHeader("Expires", 0);
chain.doFilter(request, response);
And on page login link is shown. The problem is easy: session recreated, but user principals are chached, so no login popup is shown and application uses cached principals, because request.getUserPrincipals() returns not null object.
并在页面上显示登录链接。问题很简单:会话重新创建,但用户主体是chached,因此没有显示登录弹出窗口,应用程序使用缓存的主体,因为request.getUserPrincipals()返回的不是null对象。
The question is simple: is there any way to remove user principals too, so browser asks to log in again after logout?
问题很简单:有没有办法删除用户主体,所以浏览器要求在注销后再次登录?
2 个解决方案
#1
0
Instead of just clearing the cache on logout, have a filter for your application that always sets those meta values to the response, for every request to a page in your application. This way, none of your pages will be cached. Clear your browser cache and try again. Does that fix anything?
除了在注销时清除缓存之外,还有一个针对应用程序的过滤器,它总是将这些元值设置为响应,用于应用程序中页面的每个请求。这样,您的所有页面都不会被缓存。清除浏览器缓存,然后重试。这有什么作用吗?
#2
0
When the user logs out I would consider redirecting them (using a 302 redirect) to a 'logged out' page after you've invalidated their session. That 'hopefully' will stop the request.getUserPrincipals() from returning anything.
当用户注销时,我会考虑在您的会话无效后将它们(使用302重定向)重定向到“已注销”页面。 “希望”会阻止request.getUserPrincipals()返回任何内容。
BTW, the cache work that you're doing does nothing to your web applications cache. What you're specifiying there is how web clients and web proxies should consider caching that particual request. So, those values are used after the request leaves your server and goes out 'into the wild'.
顺便说一句,你正在做的缓存工作对你的web应用程序缓存没有任何作用。您在那里指定的是Web客户端和Web代理应该如何考虑缓存该特定请求。因此,这些值在请求离开您的服务器后使用并且“进入疯狂”。
#1
0
Instead of just clearing the cache on logout, have a filter for your application that always sets those meta values to the response, for every request to a page in your application. This way, none of your pages will be cached. Clear your browser cache and try again. Does that fix anything?
除了在注销时清除缓存之外,还有一个针对应用程序的过滤器,它总是将这些元值设置为响应,用于应用程序中页面的每个请求。这样,您的所有页面都不会被缓存。清除浏览器缓存,然后重试。这有什么作用吗?
#2
0
When the user logs out I would consider redirecting them (using a 302 redirect) to a 'logged out' page after you've invalidated their session. That 'hopefully' will stop the request.getUserPrincipals() from returning anything.
当用户注销时,我会考虑在您的会话无效后将它们(使用302重定向)重定向到“已注销”页面。 “希望”会阻止request.getUserPrincipals()返回任何内容。
BTW, the cache work that you're doing does nothing to your web applications cache. What you're specifiying there is how web clients and web proxies should consider caching that particual request. So, those values are used after the request leaves your server and goes out 'into the wild'.
顺便说一句,你正在做的缓存工作对你的web应用程序缓存没有任何作用。您在那里指定的是Web客户端和Web代理应该如何考虑缓存该特定请求。因此,这些值在请求离开您的服务器后使用并且“进入疯狂”。