springmvc下的基於token的防重複提交
問題描述:前端
如今的網站在註冊步驟中,因爲後臺要處理大量信息,形成響應變慢(測試機器性能差也是形成變慢的一個因素),在前端頁面提交信息以前,等待後端響應,此時若是用戶
再點一次提交按鈕,後臺會保存多份用戶信息。爲解決此問題,借鑑了struts2的token思路,在springmvc下實現token。java
實現思路:web
在springmvc配置文件中加入攔截器的配置,攔截兩類請求,一類是到頁面的,一類是提交表單的。當轉到頁面的請求到來時,生成token的名字和token值,一份放到redis緩存中,一份放傳給頁面表單的隱藏域。(注:這裏之因此使用redis緩存,是由於tomcat服務器是集羣部署的,要保證token的存儲介質是全局線程安全的,而redis是單線程的)redis
當表單請求提交時,攔截器獲得參數中的tokenName和token,而後到緩存中去取token值,若是能匹配上,請求就經過,不能匹配上就不經過。這裏的tokenName生成時也是隨機的,每次請求都不同。而從緩存中取token值時,會當即將其刪除(刪與讀是原子的,無線程安全問題)。
spring
實現方式:apache
TokenInterceptor.javajson
package com.xxx.www.common.interceptor;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import com.xxx.cache.redis.IRedisCacheClient;
import com.xxx.common.utility.JsonUtil;
import com.xxx.www.common.utils.TokenHelper;
/**
*
* @see TokenHelper
*/
public class TokenInterceptor extends HandlerInterceptorAdapter
{
private static Logger log = Logger.getLogger(TokenInterceptor.class);
private static Map<String , String> viewUrls = new HashMap<String , String>();
private static Map<String , String> actionUrls = new HashMap<String , String>();
private Object clock = new Object();
@Autowired
private IRedisCacheClient redisCacheClient;
static
{
viewUrls.put("/user/regc/brandregnamecard/", "GET");
viewUrls.put("/user/regc/regnamecard/", "GET");
actionUrls.put("/user/regc/brandregnamecard/", "POST");
actionUrls.put("/user/regc/regnamecard/", "POST");
}
{
TokenHelper.setRedisCacheClient(redisCacheClient);
}
/**
* 攔截方法,添加or驗證token
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception
{
String url = request.getRequestURI();
String method = request.getMethod();
if(viewUrls.keySet().contains(url) && ((viewUrls.get(url)) == null || viewUrls.get(url).equals(method)))
{
TokenHelper.setToken(request);
return true;
}
else if(actionUrls.keySet().contains(url) && ((actionUrls.get(url)) == null || actionUrls.get(url).equals(method)))
{
log.debug("Intercepting invocation to check for valid transaction token.");
return handleToken(request, response, handler);
}
return true;
}
protected boolean handleToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception
{
synchronized(clock)
{
if(!TokenHelper.validToken(request))
{
System.out.println("未經過驗證...");
return handleInvalidToken(request, response, handler);
}
}
System.out.println("經過驗證...");
return handleValidToken(request, response, handler);
}
/**
* 當出現一個非法令牌時調用
*/
protected boolean handleInvalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception
{
Map<String , Object> data = new HashMap<String , Object>();
data.put("flag", 0);
data.put("msg", "請不要頻繁操做!");
writeMessageUtf8(response, data);
return false;
}
/**
* 當發現一個合法令牌時調用.
*/
protected boolean handleValidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception
{
return true;
}
private void writeMessageUtf8(HttpServletResponse response, Map<String , Object> json) throws IOException
{
try
{
response.setCharacterEncoding("UTF-8");
response.getWriter().print(JsonUtil.toJson(json));
}
finally
{
response.getWriter().close();
}
}
}
TokenHelper.java後端
package com.xxx.www.common.utils;
import java.math.BigInteger;
import java.util.Map;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
import com.xxx.cache.redis.IRedisCacheClient;
/**
* TokenHelper
*
*/
public class TokenHelper
{
/**
* 保存token值的默認命名空間
*/
public static final String TOKEN_NAMESPACE = "xxx.tokens";
/**
* 持有token名稱的字段名
*/
public static final String TOKEN_NAME_FIELD = "xxx.token.name";
private static final Logger LOG = Logger.getLogger(TokenHelper.class);
private static final Random RANDOM = new Random();
private static IRedisCacheClient redisCacheClient;// 緩存調用,代替session,支持分佈式
public static void setRedisCacheClient(IRedisCacheClient redisCacheClient)
{
TokenHelper.redisCacheClient = redisCacheClient;
}
/**
* 使用隨機字串做爲token名字保存token
*
* @param request
* @return token
*/
public static String setToken(HttpServletRequest request)
{
return setToken(request, generateGUID());
}
/**
* 使用給定的字串做爲token名字保存token
*
* @param request
* @param tokenName
* @return token
*/
private static String setToken(HttpServletRequest request, String tokenName)
{
String token = generateGUID();
setCacheToken(request, tokenName, token);
return token;
}
/**
* 保存一個給定名字和值的token
*
* @param request
* @param tokenName
* @param token
*/
private static void setCacheToken(HttpServletRequest request, String tokenName, String token)
{
try
{
String tokenName0 = buildTokenCacheAttributeName(tokenName);
redisCacheClient.listLpush(tokenName0, token);
request.setAttribute(TOKEN_NAME_FIELD, tokenName);
request.setAttribute(tokenName, token);
}
catch(IllegalStateException e)
{
String msg = "Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: " + e.getMessage();
LOG.error(msg, e);
throw new IllegalArgumentException(msg);
}
}
/**
* 構建一個基於token名字的帶有命名空間爲前綴的token名字
*
* @param tokenName
* @return the name space prefixed session token name
*/
public static String buildTokenCacheAttributeName(String tokenName)
{
return TOKEN_NAMESPACE + "." + tokenName;
}
/**
* 從請求域中獲取給定token名字的token值
*
* @param tokenName
* @return the token String or null, if the token could not be found
*/
public static String getToken(HttpServletRequest request, String tokenName)
{
if(tokenName == null)
{
return null;
}
Map params = request.getParameterMap();
String[] tokens = (String[]) (String[]) params.get(tokenName);
String token;
if((tokens == null) || (tokens.length < 1))
{
LOG.warn("Could not find token mapped to token name " + tokenName);
return null;
}
token = tokens[0];
return token;
}
/**
* 從請求參數中獲取token名字
*
* @return the token name found in the params, or null if it could not be found
*/
public static String getTokenName(HttpServletRequest request)
{
Map params = request.getParameterMap();
if(!params.containsKey(TOKEN_NAME_FIELD))
{
LOG.warn("Could not find token name in params.");
return null;
}
String[] tokenNames = (String[]) params.get(TOKEN_NAME_FIELD);
String tokenName;
if((tokenNames == null) || (tokenNames.length < 1))
{
LOG.warn("Got a null or empty token name.");
return null;
}
tokenName = tokenNames[0];
return tokenName;
}
/**
* 驗證當前請求參數中的token是否合法,若是合法的token出現就會刪除它,它不會再次成功合法的token
*
* @return 驗證結果
*/
public static boolean validToken(HttpServletRequest request)
{
String tokenName = getTokenName(request);
if(tokenName == null)
{
LOG.debug("no token name found -> Invalid token ");
return false;
}
String token = getToken(request, tokenName);
if(token == null)
{
if(LOG.isDebugEnabled())
{
LOG.debug("no token found for token name " + tokenName + " -> Invalid token ");
}
return false;
}
String tokenCacheName = buildTokenCacheAttributeName(tokenName);
String cacheToken = redisCacheClient.listLpop(tokenCacheName);
if(!token.equals(cacheToken))
{
LOG.warn("xxx.internal.invalid.token Form token " + token + " does not match the session token " + cacheToken + ".");
return false;
}
// remove the token so it won't be used again
return true;
}
public static String generateGUID()
{
return new BigInteger(165, RANDOM).toString(36).toUpperCase();
}
}
spring-mvc.xmlspring-mvc
<!-- token攔截器--> <bean id="tokenInterceptor" class="com.xxx.www.common.interceptor.TokenInterceptor"></bean> <bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping"> <property name="interceptors"> <list> <ref bean="tokenInterceptor"/> </list> </property> </bean>
input.jsp 在form中加以下內容:緩存
<input type="hidden" name="<%=request.getAttribute("xxx.token.name") %>" value="<%=token %>"/>
<input type="hidden" name="xxx.token.name" value="<%=request.getAttribute("xxx.token.name") %>"/>
當前這裏也能夠用相似於struts2的自定義標籤來作。
另:公司域名作了隱藏,用xxx替換了。
相關文章
- 1. token防止重複提交
- 2. Token防重複提交
- 3. springmvc 用攔截器+token防止重複提交
- 4. SpringMVC 防重複提交攔截
- 5. spring token 重複提交
- 6. token令牌防止重複提交的問題
- 7. 封裝axios,token,消息提示,防止重複提交
- 8. 防ajax重複提交
- 9. struts2防止重複提交
- 10. ajax 防止重複提交
- 更多相關文章...
- • SVN 提交操作 - SVN 教程
- • MySQL DISTINCT:去重(過濾重複數據) - MySQL教程
- • ☆基於Java Instrument的Agent實現
- • Docker容器實戰(七) - 容器眼光下的文件系統
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. token防止重複提交
- 2. Token防重複提交
- 3. springmvc 用攔截器+token防止重複提交
- 4. SpringMVC 防重複提交攔截
- 5. spring token 重複提交
- 6. token令牌防止重複提交的問題
- 7. 封裝axios,token,消息提示,防止重複提交
- 8. 防ajax重複提交
- 9. struts2防止重複提交
- 10. ajax 防止重複提交