explicitly set cache related headers to prevent caching of any response - SIDP-432...
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 21 Dec 2010 14:55:07 +0000 (14:55 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 21 Dec 2010 14:55:07 +0000 (14:55 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2968 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/RELEASE-NOTES.txt
src/main/java/edu/internet2/middleware/shibboleth/idp/util/NoCacheFilter.java [new file with mode: 0644]
src/main/webapp/WEB-INF/web.xml

index 3aec949..e3cef48 100644 (file)
@@ -6,6 +6,7 @@ Changes in Release 2.2.1
 [SIDP-428] - Address lifecycle issues around use of MetadataCredentialResolverFactory
 [SIDP-431] - Typo in default attribute-resolver.xml
 [SIDP-434] - More Typos in Default attribute-resolver.xml
+[SIDP-432] - Set explicit caching headers on redirects
 [SIDP-447] - Fix for SIDP-417 missed RemoteUserLoginHandler
 
 Changes in Release 2.2.0
diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/util/NoCacheFilter.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/util/NoCacheFilter.java
new file mode 100644 (file)
index 0000000..1b63083
--- /dev/null
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2010 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.util;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * An HTTP filter that adds the following headers/values to the {@link HttpServletResponse} and thus, hopefully,
+ * prevents caching of the response on all browser.
+ * <ul>
+ * <li>Expires: 0</li>
+ * <li>Cache-Control: no-cache, no-store, must-revalidate, max-age=0
+ * <li>
+ * <li>Pragma: no-cache</li>
+ * </ul>
+ */
+public class NoCacheFilter implements Filter {
+
+    /** {@inheritDoc} */
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+            ServletException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        httpResponse.setHeader("Expires", "0");
+        httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        httpResponse.setHeader("Pragma", "no-cache");
+        chain.doFilter(request, response);
+    }
+
+    /** {@inheritDoc} */
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // nothing to do here
+    }
+
+    /** {@inheritDoc} */
+    public void destroy() {
+        // nothing to do here
+    }
+}
\ No newline at end of file
index d503297..aba5855 100644 (file)
@@ -1,26 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
-    version="2.4">
+    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
 
     <display-name>Shibboleth Identity Provider</display-name>
-    
-    <!-- Parameter that allows the domain of all cookies to be explicitly set.  
-         If not set the domain is let empty which means that the cookie will only ever be sent 
-         to the IdP host.
-    -->
-    <!--
-    <context-param>
-        <param-name>cookieDomain</param-name>
-        <param-value>example.org</param-value>
-    </context-param>
-    -->
-    
-    <!--
-        Spring 2.0 application context files.  Files are loaded in the order they appear with subsequent files 
-        overwriting same named beans in previous files.
-    -->
+
+    <!-- Parameter that allows the domain of all cookies to be explicitly set. If not set the domain is let empty which means 
+        that the cookie will only ever be sent to the IdP host. -->
+    <!-- <context-param> <param-name>cookieDomain</param-name> <param-value>example.org</param-value> </context-param> -->
+
+    <!-- Spring 2.0 application context files. Files are loaded in the order they appear with subsequent files overwriting 
+        same named beans in previous files. -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>$IDP_HOME$/conf/internal.xml; $IDP_HOME$/conf/service.xml;</param-value>
@@ -31,7 +21,7 @@
         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
     </listener>
 
-    <!--  Add IdP SLF4J MDC cleanup filter to all requests -->
+    <!-- Add IdP SLF4J MDC cleanup filter to all requests -->
     <filter>
         <filter-name>SL4JCleanupFilter</filter-name>
         <filter-class>edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter</filter-class>
@@ -42,7 +32,7 @@
     </filter-mapping>
 
 
-    <!--  Add IdP Session object to incoming profile requests -->
+    <!-- Add IdP Session object to incoming profile requests -->
     <filter>
         <filter-name>IdPSessionFilter</filter-name>
         <filter-class>edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter</filter-class>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
+    <!-- HTTP headers to every response in order to prevent response caching -->
+    <filter>
+        <filter-name>IdPNoCacheFilter</filter-name>
+        <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>IdPNoCacheFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- Profile Request Dispatcher -->
     <servlet>
         <servlet-name>ProfileRequestDispatcher</servlet-name>
     <servlet-mapping>
         <servlet-name>ProfileRequestDispatcher</servlet-name>
         <url-pattern>/profile/*</url-pattern>
-    </servlet-mapping> 
+    </servlet-mapping>
 
     <!-- Authentication Engine Entry Point -->
     <servlet>
         <servlet-name>AuthenticationEngine</servlet-name>
         <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine</servlet-class>
-        
+
         <!-- Whether public credentials returned by a login handler are retained in the subject. -->
-        <!--
-        <init-param>
-            <param-name>retainSubjectsPublicCredentials</param-name>
-            <param-value>false</param-value>
-        </init-param>
-        -->
-        
+        <!-- <init-param> <param-name>retainSubjectsPublicCredentials</param-name> <param-value>false</param-value> </init-param> -->
+
         <!-- Whether private credentials returned by a login handler are retained in the subject. -->
-        <!--
-        <init-param>
-            <param-name>retainSubjectsPrivateCredentials</param-name>
-            <param-value>false</param-value>
-        </init-param>
-        -->
-        
+        <!-- <init-param> <param-name>retainSubjectsPrivateCredentials</param-name> <param-value>false</param-value> </init-param> -->
+
         <load-on-startup>2</load-on-startup>
-        
+
     </servlet>
 
     <servlet-mapping>
         <servlet-name>RemoteUserAuthHandler</servlet-name>
         <url-pattern>/Authn/RemoteUser</url-pattern>
     </servlet-mapping>
-    
+
     <!-- Servlet for doing Username/Password authentication -->
     <servlet>
         <servlet-name>UsernamePasswordAuthHandler</servlet-name>
         <servlet-name>UsernamePasswordAuthHandler</servlet-name>
         <url-pattern>/Authn/UserPassword</url-pattern>
     </servlet-mapping>
-    
+
     <!-- Servlet for displaying IdP status. -->
     <servlet>
         <servlet-name>Status</servlet-name>
         <servlet-class>edu.internet2.middleware.shibboleth.idp.StatusServlet</servlet-class>
-        
+
         <!-- Space separated list of CIDR blocks allowed to access the status page -->
         <init-param>
             <param-name>AllowedIPs</param-name>
             <param-value>127.0.0.1/32 ::1/128</param-value>
         </init-param>
-        
+
         <load-on-startup>2</load-on-startup>
     </servlet>
 
         <servlet-name>Status</servlet-name>
         <url-pattern>/status</url-pattern>
     </servlet-mapping>
-    
-        
+
+
     <!-- Send request to the EntityID to the SAML metadata handler. -->
     <servlet>
         <servlet-name>shibboleth_jsp</servlet-name>
         <servlet-name>shibboleth_jsp</servlet-name>
         <url-pattern>/shibboleth</url-pattern>
     </servlet-mapping>
-    
+
     <error-page>
         <error-code>500</error-code>
         <location>/error.jsp</location>
     </error-page>
-    
+
     <error-page>
         <error-code>404</error-code>
         <location>/error-404.jsp</location>
     </error-page>
 
-<!-- Uncomment to use container managed authentication -->
-<!--
-    <security-constraint>
-        <display-name>Shibboleth IdP</display-name>
-        <web-resource-collection>
-            <web-resource-name>user authentication</web-resource-name>
-            <url-pattern>/Authn/RemoteUser</url-pattern>
-            <http-method>GET</http-method>
-            <http-method>POST</http-method>
-        </web-resource-collection>
-        <auth-constraint> 
-            <role-name>user</role-name> 
-        </auth-constraint>
-        <user-data-constraint>
-            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-        </user-data-constraint>
-    </security-constraint>
-    
-    <security-role>
-      <role-name>user</role-name>
-    </security-role> 
--->
-
-<!-- Uncomment if you want BASIC auth managed by the container -->
-<!--
-    <login-config>
-      <auth-method>BASIC</auth-method>
-      <realm-name>IdP Password Authentication</realm-name>
-    </login-config>
--->
-
-<!-- Uncomment if you want form-based auth managed by the container -->
-<!--
-    <login-config>
-        <auth-method>FORM</auth-method>
-        <realm-name>IdP Password Authentication</realm-name>
-        <form-login-config>
-            <form-login-page>/login.jsp</form-login-page>
-            <form-error-page>/login-error.jsp</form-error-page>
-        </form-login-config>
-    </login-config>
--->
+    <!-- Uncomment to use container managed authentication -->
+    <!-- <security-constraint> <display-name>Shibboleth IdP</display-name> <web-resource-collection> <web-resource-name>user 
+        authentication</web-resource-name> <url-pattern>/Authn/RemoteUser</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> 
+        </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
+        </user-data-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> -->
+
+    <!-- Uncomment if you want BASIC auth managed by the container -->
+    <!-- <login-config> <auth-method>BASIC</auth-method> <realm-name>IdP Password Authentication</realm-name> </login-config> -->
+
+    <!-- Uncomment if you want form-based auth managed by the container -->
+    <!-- <login-config> <auth-method>FORM</auth-method> <realm-name>IdP Password Authentication</realm-name> <form-login-config> 
+        <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-error.jsp</form-error-page> </form-login-config> </login-config> -->
 
 </web-app>
\ No newline at end of file