Wednesday, July 11, 2012

No Cache For JSF/JSPX Page To Avoid Use OF Browser Back Button In JDeveloper 11g / Use OF No-Cache With JSF LifeCycle

Oracle JDeveloper
Internet Explorer-8

In one of my ADF application, I wanted to discourage the use of browser back button. But users never mind to pinpoint the security gaps.
Not finding any proper solution for disabling back button, I decided to expire the cache of page which back button uses to show the saved page.Well, you can't trust on browser, so this technique is not guaranteed to fill gap in security.

The simplest approrach for JSPX page is to add a Scriptlet under <jsp:root> tag with header information.
In Structure window under <jsp:root> tag drag a jsp:scriptlet & write the header information for no-cache.
You can get <scriptlet> from Component Palette & switching to "JSP" selection.
Write header information under <jsp:scriptlet> tag.

You can also write header info by switching jspx page code editor something like this -
 <?xml version='1.0' encoding='UTF-8'?>  
 <jsp:root xmlns:jsp="" version="2.1"  
  < contentType="text/html;charset=UTF-8"/>  
   response.setHeader("Pragma", "no-cache");  
   response.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");  
   response.setDateHeader("Expires", 0);   
   response.addHeader("Cache-Control","post-check=0, pre-check=0"); 

Using above method was giving "500 Internal Server Error".  I did not investigated the reason for error. May be this error is context based for my project source files.

The other way was to use same header information with simple JSF Page Lifecycle.
I created a java class & wired it with managed bean with request scope since I wanted no-cache for
every single request of page. Select <f:view> in Structure Panel from JSPX Page. Add Phase Listener method to fire in 'BeforePhase' for page lifecycle.


Write header information in beforePhase listener method.