springMVC中基于token防止表单重复提交方法

网友投稿 274 2023-04-25


springMVC中基于token防止表单重复提交方法

本文介绍了springMVC中基于token防止表单重复提交方法,分享给大家,具体如下:

实现思路:

在springmvc配置文件中加入拦截器的配置,拦截两类请求,一类是到页面的,一类是提交表单的。当转到页面的请求到来时,生成token的名字和token值,一份放到Redis缓存中,一份放传给页面表单的隐藏域。(注:这里之所以使用redis缓存,是因为tomcat服务器是集群部署的,要保证token的存储介质是全局线程安全的,而redis是单线程的)

当表单请求提交时,拦截器得到参数中的tokenName和token,然后到缓存中去取token值,如果能匹配上,请求就通过,不能匹配上就不通过。这里的tokenName生成时也是随机的,每次请求都不一样。而从缓存中取token值时,会立即将其删除(删与读是原子的,无线程安全问题)。

实现方式:

TokenInterceptor.java

package com.xxx.common.interceptor;

import java.io.IOException;

import java.util.HashMap;

import java.util.Map;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

import com.xxx.cache.redis.IRedisCacheClient;

import com.xxx.common.utility.jsonUtil;

import com.xxx.common.utils.TokenHelper;

/**

*

* @see TokenHelper

*/

public class TokenInterceptor extends HandlerInterceptorAdapter

{

private static Logger log = Logger.getLogger(TokenInterceptor.class);

private static Map viewUrls = new HashMap();

private static Map actionUrls = new HashMap();

private Object clock = new Object();

@Autowired

private IRedisCacheClient redisCacheClient;

static

{

viewUrls.put("/user/regc/brandregnamecard/", "GET");

viewUrls.put("/user/regc/regnamecard/", "GET");

actionUrls.put("/user/regc/brandregnamecard/", "POST");

actionUrls.put("/user/regc/regnamecard/", "POST");

}

{

TokenHelper.setRedisCacheClient(redisCacheClient);

}

/**

* 拦截方法,添加or验证token

*/

@Override

public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception

{

String url = request.getRequestURI();

String method = request.getMethod();

if(viewUrls.keySet().contains(url) && ((viewUrls.get(url)) == null || viewUrls.get(url).equals(method)))

{

TokenHelper.setToken(request);

return true;

}

else if(actionUrls.keySet().contains(url) && ((actionUrls.get(url)) == null || actionUrls.get(url).equals(method)))

{

log.debug("Intercepting invocation to check for valid transaction token.");

return handleToken(request, response, handler);

}

return true;

}

protected boolean handleToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception

{

synchronized(clock)

{

if(!TokenHelper.validToken(request))

{

System.out.println("未通过验证...");

return handleInvalidToken(request, response, handler);

}

}

System.out.println("通过验证...");

return handleValidToken(request, response, handler);

}

/**

* 当出现一个非法令牌时调用

*/

protected boolean handleInvalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception

{

Map data = new HashMap();

data.put("flag", 0);

data.put("msg", "请不要频繁操作!");

writeMessageUtf8(response, data);

return false;

}

/**

* 当发现一个合法令牌时调用.

*/

protected boolean handleValidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception

{

return true;

}

private void writeMessageUtf8(HttpServletResponse response, Map json) throws IOException

{

try

{

response.setCharacterEncoding("UTF-8");

response.getWriter().print(JsonUtil.toJson(json));

}

finally

{

response.getWriter().close();

}

}

}

TokenHelper.java

package com.xxx.common.utils;

import java.math.BigInteger;

import java.util.Map;

import java.util.Random;

import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;

import com.xxx.cache.redis.IRedisCacheClient;

/**

* TokenHelper

*

*/

public class TokenHelper

{

/**

* 保存token值的默认命名空间

*/

public static final String TOKEN_NAMESPACE = "xxx.tokens";

/**

* 持有token名称的字段名

*/

public static final String TOKEN_NAME_FIELD = "xxx.token.name";

private static final Logger LOG = Logger.getLogger(TokenHelper.class);

private static final Random RANDOM = new Random();

private static IRedisCacheClient redisCacheClient;// 缓存调用,代替session,支持分布式

public static void setRedisCacheClient(IRedisCacheClient redisCacheClient)

{

TokenHelper.redisCacheClient = redisCacheClient;

}

/**

* 使用随机字串作为token名字保存token

*

* @param request

* @return token

*/

public static String setToken(HttpServletRequest request)

{

return setToken(request, generateGUID());

}

/**

* 使用给定的字串作为token名字保存token

*

* @param request

* @param tokenName

* @return token

*/

private static String setToken(HttpServletRequest request, String tokenName)

{

String token = generateGUID();

setCacheToken(request, tokenName, token);

return token;

}

/**

* 保存一个给定名字和值的token

*

* @param request

* @param tokenName

* @param token

*/

private static void setCacheToken(HttpServletRequest request, String tokenName, String token)

{

try

{

String tokenName0 = buildTokenCacheAttributeName(tokenName);

redisCacheClient.listLpush(tokenName0, token);

request.setAttribute(TOKEN_NAME_FIELD, tokenName);

request.setAttribute(tokenName, token);

}

catch(IllegalStateException e)

{

String msg = "Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: " + e.getMessage();

LOG.error(msg, e);

throw new IllegalArgumentException(msg);

}

}

/**

* 构建一个基于token名字的带有命名空间为前缀的token名字

*

* @param tokenName

* @return the name space prefixed session token name

*/

public static String buildTokenCacheAttributeName(String tokenName)

{

return TOKEN_NAMESPACE + "." + tokenName;

}

/**

* 从请求域中获取给定token名字的token值

*

* @param tokenName

* @return the token String or null, if the token could not be found

*/

public static String getToken(HttpServletRequest request, String tokenName)

{

if(tokenName == null)

{

return null;

}

Map params = request.getParameterMap();

String[] tokens = (String[]) (String[]) params.get(tokenName);

String token;

if((tokens == null) || (tokens.length < 1))

{

LOG.warn("Could not find token mapped to token name " + tokenName);

return null;

}

token = tokens[0];

return token;

}

/**

* 从请求参数中获取token名字

*

* @return the token name found in the params, or null if it could not be found

*/

public static String getTokenName(HttpServletRequest request)

{

Map params = request.getParameterMap();

if(!params.containsKey(TOKEN_NAME_FIELD))

{

LOG.warn("Could not find token name in params.");

return null;

}

String[] tokenNames = (String[]) params.get(TOKEN_NAME_FIELD);

String tokenName;

if((tokenNames == null) || (tokenNames.length < 1))

{

LOG.warn("Got a null or empty token name.");

return null;

}

tokenName = tokenNames[0];

return tokenName;

}

/**

* 验证当前请求参数中的token是否合法,如果合法的token出现就会删除它,它不会再次成功合法的token

*

* @return 验证结果

*/

publhttp://ic static boolean validTokenhttp://(HttpServletRequest request)

{

String tokenName = getTokenName(request);

if(tokenName == null)

{

LOG.debug("no token name found -> Invalid token ");

return false;

}

String token = getToken(request, tokenName);

if(token == null)

{

if(LOG.isDebugEnabled())

{

LOG.debug("no token found for token name " + tokenName + " -> Invalid token ");

}

return false;

}

String tokenCacheName = buildTokenCacheAttributeName(tokenName);

String cacheToken = redisCacheClient.listLpop(tokenCacheName);

if(!token.equals(cacheToken))

{

LOG.warn("xxx.internal.invalid.token Form token " + token + " does not match the session token " + cacheToken + ".");

return false;

}

// remove the token so it won't be used again

return true;

}

public static String generateGUID()

{

return new BigInteger(165,RANDOM).toString(36).toUpperCase();

}

}

spring-mvc.xml

input.jsp 在form中加如下内容:

" value="<%=token %>"/>

"/>

当前这里也可以用类似于struts2的自定义标签来做。


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:接口设计和表结构设计(接口设计的主要内容)
下一篇:java获取接口实现类(java调用接口获取数据)
相关文章

 发表评论

暂时没有评论,来抢沙发吧~