I have a webapp that has a start page that can redirect to two other pages. The start page has no security, one page is for user level access, and one page is for admin access. They are just basic html pages that load a fair lot of javascript on top of them.
The browser seems to be remembering the html, css and structural javascript and renders the page, although none of my onload javascript functions fire because they need server communication which fails the permissions check because there was no login.
While I understand this and just click refresh and it takes me to the login page, someone else using the app will likely just get confused and close it or call and report a problem.
I am using Spring Security. Is there any way to enforce the html to go through the security filter and keep the browser from doing its own thing?
You should be able to do this by setting the relevant cache-control directives in the HTML itself or in the response headers. For example:
(Note that the headers have to be set before the JSP commits the response header by doing something to write output. So the above has to be right at the start of the JSP.)
If that doesn’t work, another trick you can use is to append a nonce query to the end of the URL for the HTML page (e.g.
http://example.com/foo.html?q=<random-number>) and change the nonce each time you send the URL.However, ultimately you have no way of forcing a recalcitrant browser to refresh / refetch the page. So ultimately, you have to accept that your Javascript may not run … and you should not rely on it to implement your web UI security / access control checks. (Not that I’m saying that are. Just, don’t …)