问题描述

我需要在Spring Security conf中禁用缓存控制标头.

I need to disable the cache control headers in my Spring Security conf.

根据文档，一个简单的 http.headers.disable()应该可以，但我仍然看到

According to the documentation a simple http.headers.disable() should do it, but I still see the

Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Expires:0
Pragma:no-cache

响应标题.

我当前的安全配置为:

http.antMatcher("/myPath/**") // "myPath" is of course not the real path
    .headers().disable()
    .authorizeRequests()
     // ... abbreviated
    .anyRequest().authenticated();

到目前为止我已经尝试过的事情:

application.properties

我添加了 security.headers.cache = false 行，但这没什么区别.

I added the security.headers.cache=false line, but that made no difference.

使用过滤器

我尝试了以下过滤器:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
      @Override
      public void setHeader(String name, String value) {
        if (name.equalsIgnoreCase("Cache-Control")) {
          value = "";
        } else if (name.equalsIgnoreCase("Expires")) {
          value = "";
        } else if (name.equalsIgnoreCase("Pragma")) {
          value = "";
        }
        super.setHeader(name, value);
      }
  });
}

添加日志后，我看到此过滤器仅写入 X-XSS-Protection 标头，所有缓存标头均在以后写入，并且此过滤器无权覆盖"它们.即使我将此过滤器添加到安全过滤器链的最后一个位置，也会发生这种情况.

After adding logging I saw that this filter only writes the X-XSS-Protection header, all the cache headers are written somewhere later and this filter doesn't have access to "override" them. This happens even if I add this filter at the last position of the security filter chain.

使用拦截器

我尝试了以下拦截器:

@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
    String requestUri = request.getRequestURI();
    response.setHeader("Cache-Control", "max-age=3600");
    response.setHeader("Expires", "3600");
    response.setHeader("Pragma", "");
}

(可以预见的)只是添加了标头，这意味着除了拦截器添加的标头之外，原始的 no-cache 标头仍然出现.

This (quite predictably) just added the headers, meaning that the original no-cache headers still appear in addition to the ones added by the interceptor.

我的智慧到此为止.如何摆脱Spring Security设置的缓存控制标头?

I'm at my wits end here. How do I get rid of the cache control header set by Spring security?

推荐答案

可能有帮助:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    // ...
    .headers()
        .defaultsDisabled()
        .cacheControl();
}
}

http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-cache-control

这篇关于禁用Spring Security标头不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！