Source code

001/*
002 * Copyright 2019 Blue Lotus Software, LLC..
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *      http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package com.bluelotussoftware.tomcat.security.valves;
017
018import java.io.IOException;
019import javax.servlet.ServletException;
020import org.apache.catalina.connector.Request;
021import org.apache.catalina.connector.Response;
022import org.apache.catalina.valves.ValveBase;
023
024/**
025 * <p>
026 * The container managed security implementation using {@literal j_security_check} does not return Cache-Control headers
027 * to the client. This Valve will add {@literal Cache-Control: no-cache, no-store, must-revalidate} and
028 * {@literal Pragma: no-cache} headers to the {@literal j_security_check} response.</p>
029 * <p>
030 * This is configured in the {@literal context.xml}, or {@literal server.xml} file using the following syntax:</p>
031 * <pre>
032 *  {@literal <Valve className="com.bluelotussoftware.tomcat.security.valves.JSecurityCheckNoCacheValve" /> }
033 * </pre>
034 *
035 * @author <a href="mailto:jyeary@bluelotussoftware.com">John Yeary</a>
036 * @version 2.2.0
037 * @since 2.2.0
038 */
039public class JSecurityCheckNoCacheValve extends ValveBase {
040
041    /**
042     * {@inheritDoc}
043     * <p>
044     * Adds {@literal Cache-Control: no-cache, no-store, must-revalidate} and {@literal Pragma: no-cache} headers to the
045     * {@literal j_security_check} response.
046     * </p>
047     */
048    @Override
049    public void invoke(Request request, Response response) throws IOException, ServletException {
050        String uri = request.getRequestURI();
051        if (uri.contains("j_security_check")) {
052            response.addHeader("Cache-Control", "no-cache, no-store, must-revalidate");
053            response.addHeader("Pragma", "no-cache");
054        }
055        getNext().invoke(request, response);
056    }
057
058}