springMVC中基于token防止表单重复提交方法

本文介绍了springMVC中基于token防止表单重复提交方法,分享给大家,具体如下:

10余年建站经验, 成都网站制作、成都网站设计客户的见证与正确选择。创新互联提供完善的营销型网页建站明细报价表。后期开发更加便捷高效,我们致力于追求更美、更快、更规范。

实现思路:

在springmvc配置文件中加入拦截器的配置,拦截两类请求,一类是到页面的,一类是提交表单的。当转到页面的请求到来时,生成token的名字和token值,一份放到redis缓存中,一份放传给页面表单的隐藏域。(注:这里之所以使用redis缓存,是因为tomcat服务器是集群部署的,要保证token的存储介质是全局线程安全的,而redis是单线程的)

当表单请求提交时,拦截器得到参数中的tokenName和token,然后到缓存中去取token值,如果能匹配上,请求就通过,不能匹配上就不通过。这里的tokenName生成时也是随机的,每次请求都不一样。而从缓存中取token值时,会立即将其删除(删与读是原子的,无线程安全问题)。

实现方式:

TokenInterceptor.Java

package com.xxx.www.common.interceptor; 

import java.io.IOException; 
import java.util.HashMap; 
import java.util.Map; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import org.apache.log4j.Logger; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; 
import com.xxx.cache.redis.IRedisCacheClient; 
import com.xxx.common.utility.JsonUtil; 
import com.xxx.www.common.utils.TokenHelper; 

/** 
 * 
 * @see TokenHelper 
 */ 
public class TokenInterceptor extends HandlerInterceptorAdapter 
{ 

  private static Logger log = Logger.getLogger(TokenInterceptor.class); 
  private static Map viewUrls = new HashMap(); 
  private static Map actionUrls = new HashMap(); 
  private Object clock = new Object(); 

  @Autowired 
  private IRedisCacheClient redisCacheClient; 
  static 
  { 
    viewUrls.put("/user/regc/brandregnamecard/", "GET"); 
    viewUrls.put("/user/regc/regnamecard/", "GET"); 

    actionUrls.put("/user/regc/brandregnamecard/", "POST"); 
    actionUrls.put("/user/regc/regnamecard/", "POST"); 
  } 
  { 
    TokenHelper.setRedisCacheClient(redisCacheClient); 
  } 

  /** 
   * 拦截方法,添加or验证token 
   */ 
  @Override 
  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    String url = request.getRequestURI(); 
    String method = request.getMethod(); 
    if(viewUrls.keySet().contains(url) && ((viewUrls.get(url)) == null || viewUrls.get(url).equals(method))) 
    { 
      TokenHelper.setToken(request); 
      return true; 
    } 
    else if(actionUrls.keySet().contains(url) && ((actionUrls.get(url)) == null || actionUrls.get(url).equals(method))) 
    { 
      log.debug("Intercepting invocation to check for valid transaction token."); 
      return handleToken(request, response, handler); 
    } 
    return true; 
  } 

  protected boolean handleToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    synchronized(clock) 
    { 
      if(!TokenHelper.validToken(request)) 
      { 
        System.out.println("未通过验证..."); 
        return handleInvalidToken(request, response, handler); 
      } 
    } 
    System.out.println("通过验证..."); 
    return handleValidToken(request, response, handler); 
  } 

  /** 
   * 当出现一个非法令牌时调用 
   */ 
  protected boolean handleInvalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    Map data = new HashMap(); 
    data.put("flag", 0); 
    data.put("msg", "请不要频繁操作!"); 
    writeMessageUtf8(response, data); 
    return false; 
  } 

  /** 
   * 当发现一个合法令牌时调用. 
   */ 
  protected boolean handleValidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    return true; 
  } 

  private void writeMessageUtf8(HttpServletResponse response, Map json) throws IOException 
  { 
    try 
    { 
      response.setCharacterEncoding("UTF-8"); 
      response.getWriter().print(JsonUtil.toJson(json)); 
    } 
    finally 
    { 
      response.getWriter().close(); 
    } 
  } 

} 

TokenHelper.java

package com.xxx.www.common.utils; 

import java.math.BigInteger; 
import java.util.Map; 
import java.util.Random; 
import javax.servlet.http.HttpServletRequest; 
import org.apache.log4j.Logger; 
import com.xxx.cache.redis.IRedisCacheClient; 

/** 
 * TokenHelper 
 * 
 */ 
public class TokenHelper 
{ 

  /** 
   * 保存token值的默认命名空间 
   */ 
  public static final String TOKEN_NAMESPACE = "xxx.tokens"; 

  /** 
   * 持有token名称的字段名 
   */ 
  public static final String TOKEN_NAME_FIELD = "xxx.token.name"; 
  private static final Logger LOG = Logger.getLogger(TokenHelper.class); 
  private static final Random RANDOM = new Random(); 

  private static IRedisCacheClient redisCacheClient;// 缓存调用,代替session,支持分布式 

  public static void setRedisCacheClient(IRedisCacheClient redisCacheClient) 
  { 
    TokenHelper.redisCacheClient = redisCacheClient; 
  } 

  /** 
   * 使用随机字串作为token名字保存token 
   * 
   * @param request 
   * @return token 
   */ 
  public static String setToken(HttpServletRequest request) 
  { 
    return setToken(request, generateGUID()); 
  } 

  /** 
   * 使用给定的字串作为token名字保存token 
   * 
   * @param request 
   * @param tokenName 
   * @return token 
   */ 
  private static String setToken(HttpServletRequest request, String tokenName) 
  { 
    String token = generateGUID(); 
    setCacheToken(request, tokenName, token); 
    return token; 
  } 

  /** 
   * 保存一个给定名字和值的token 
   * 
   * @param request 
   * @param tokenName 
   * @param token 
   */ 
  private static void setCacheToken(HttpServletRequest request, String tokenName, String token) 
  { 
    try 
    { 
      String tokenName0 = buildTokenCacheAttributeName(tokenName); 
      redisCacheClient.listLpush(tokenName0, token); 
      request.setAttribute(TOKEN_NAME_FIELD, tokenName); 
      request.setAttribute(tokenName, token); 
    } 
    catch(IllegalStateException e) 
    { 
      String msg = "Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: " + e.getMessage(); 
      LOG.error(msg, e); 
      throw new IllegalArgumentException(msg); 
    } 
  } 

  /** 
   * 构建一个基于token名字的带有命名空间为前缀的token名字 
   * 
   * @param tokenName 
   * @return the name space prefixed session token name 
   */ 
  public static String buildTokenCacheAttributeName(String tokenName) 
  { 
    return TOKEN_NAMESPACE + "." + tokenName; 
  } 

  /** 
   * 从请求域中获取给定token名字的token值 
   * 
   * @param tokenName 
   * @return the token String or null, if the token could not be found 
   */ 
  public static String getToken(HttpServletRequest request, String tokenName) 
  { 
    if(tokenName == null) 
    { 
      return null; 
    } 
    Map params = request.getParameterMap(); 
    String[] tokens = (String[]) (String[]) params.get(tokenName); 
    String token; 
    if((tokens == null) || (tokens.length < 1)) 
    { 
      LOG.warn("Could not find token mapped to token name " + tokenName); 
      return null; 
    } 

    token = tokens[0]; 
    return token; 
  } 

  /** 
   * 从请求参数中获取token名字 
   * 
   * @return the token name found in the params, or null if it could not be found 
   */ 
  public static String getTokenName(HttpServletRequest request) 
  { 
    Map params = request.getParameterMap(); 

    if(!params.containsKey(TOKEN_NAME_FIELD)) 
    { 
      LOG.warn("Could not find token name in params."); 
      return null; 
    } 

    String[] tokenNames = (String[]) params.get(TOKEN_NAME_FIELD); 
    String tokenName; 

    if((tokenNames == null) || (tokenNames.length < 1)) 
    { 
      LOG.warn("Got a null or empty token name."); 
      return null; 
    } 

    tokenName = tokenNames[0]; 

    return tokenName; 
  } 

  /** 
   * 验证当前请求参数中的token是否合法,如果合法的token出现就会删除它,它不会再次成功合法的token 
   * 
   * @return 验证结果 
   */ 
  public static boolean validToken(HttpServletRequest request) 
  { 
    String tokenName = getTokenName(request); 

    if(tokenName == null) 
    { 
      LOG.debug("no token name found -> Invalid token "); 
      return false; 
    } 

    String token = getToken(request, tokenName); 

    if(token == null) 
    { 
      if(LOG.isDebugEnabled()) 
      { 
        LOG.debug("no token found for token name " + tokenName + " -> Invalid token "); 
      } 
      return false; 
    } 

    String tokenCacheName = buildTokenCacheAttributeName(tokenName); 
    String cacheToken = redisCacheClient.listLpop(tokenCacheName); 

    if(!token.equals(cacheToken)) 
    { 
      LOG.warn("xxx.internal.invalid.token Form token " + token + " does not match the session token " + cacheToken + "."); 
      return false; 
    } 

    // remove the token so it won't be used again 

    return true; 
  } 

  public static String generateGUID() 
  { 
    return new BigInteger(165,RANDOM).toString(36).toUpperCase(); 
  } 

} 

spring-mvc.xml

 
     
     
       
         
           
       
       
   

input.jsp 在form中加如下内容:

" value="<%=token %>"/> 

"/> 

当前这里也可以用类似于struts2的自定义标签来做。

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持创新互联。


文章标题:springMVC中基于token防止表单重复提交方法
网址分享:http://hbruida.cn/article/iheiij.html