springMVC中基于token防止表单重复提交方法

本文介绍了springMVC中基于token防止表单重复提交方法，分享给大家，具体如下：

实现思路：

在springmvc配置文件中加入拦截器的配置，拦截两类请求，一类是到页面的，一类是提交表单的。当转到页面的请求到来时，生成token的名字和token值，一份放到Redis缓存中，一份放传给页面表单的隐藏域。（注：这里之所以使用redis缓存，是因为tomcat服务器是集群部署的，要保证token的存储介质是全局线程安全的，而redis是单线程的）

当表单请求提交时，拦截器得到参数中的tokenName和token，然后到缓存中去取token值，如果能匹配上，请求就通过，不能匹配上就不通过。这里的tokenName生成时也是随机的，每次请求都不一样。而从缓存中取token值时，会立即将其删除（删与读是原子的，无线程安全问题）。

实现方式：

TokenInterceptor.Java

package com.xxx.www.common.interceptor; 

import java.io.IOException; 
import java.util.HashMap; 
import java.util.Map; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import org.apache.log4j.Logger; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; 
import com.xxx.cache.redis.IRedisCacheClient; 
import com.xxx.common.utility.JsonUtil; 
import com.xxx.www.common.utils.TokenHelper; 

 
public class TokenInterceptor extends HandlerInterceptorAdapter 
{ 

  private static Logger log = Logger.getLogger(TokenInterceptor.class); 
  private static Map viewUrls = new HashMap(); 
  private static Map actionUrls = new HashMap(); 
  private Object clock = new Object(); 

  @Autowired 
  private IRedisCacheClient redisCacheClient; 
  static 
  { 
    viewUrls.put("/user/regc/brandregnamecard/", "GET"); 
    viewUrls.put("/user/regc/regnamecard/", "GET"); 

    actionUrls.put("/user/regc/brandregnamecard/", "POST"); 
    actionUrls.put("/user/regc/regnamecard/", "POST"); 
  } 
  { 
    TokenHelper.setRedisCacheClient(redisCacheClient); 
  } 

   
  @Override 
  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    String url = request.getRequestURI(); 
    String method = request.getMethod(); 
    if(viewUrls.keySet().contains(url) && ((viewUrls.get(url)) == null || viewUrls.get(url).equals(method))) 
    { 
      TokenHelper.setToken(request); 
      return true; 
    } 
    else if(actionUrls.keySet().contains(url) && ((actionUrls.get(url)) == null || actionUrls.get(url).equals(method))) 
    { 
      log.debug("Intercepting invocation to check for valid transaction token."); 
      return handleToken(request, response, handler); 
    } 
    return true; 
  } 

  protected boolean handleToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    synchronized(clock) 
    { 
      if(!TokenHelper.validToken(request)) 
      { 
 System.out.println("未通过验证..."); 
 return handleInvalidToken(request, response, handler); 
      } 
    } 
    System.out.println("通过验证..."); 
    return handlevalidToken(request, response, handler); 
  } 

   
  protected boolean handleInvalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    Map data = new HashMap(); 
    data.put("flag", 0); 
    data.put("msg", "请不要频繁操作！"); 
    writeMessageUtf8(response, data); 
    return false; 
  } 

   
  protected boolean handlevalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception 
  { 
    return true; 
  } 

  private void writeMessageUtf8(HttpServletResponse response, Map json) throws IOException 
  { 
    try 
    { 
      response.setCharacterEncoding("UTF-8"); 
      response.getWriter().print(JsonUtil.toJson(json)); 
    } 
    finally 
    { 
      response.getWriter().close(); 
    } 
  } 

} 

TokenHelper.java

package com.xxx.www.common.utils; 

import java.math.BigInteger; 
import java.util.Map; 
import java.util.Random; 
import javax.servlet.http.HttpServletRequest; 
import org.apache.log4j.Logger; 
import com.xxx.cache.redis.IRedisCacheClient; 

 
public class TokenHelper 
{ 

   
  public static final String TOKEN_NAMESPACE = "xxx.tokens"; 

   
  public static final String TOKEN_NAME_FIELD = "xxx.token.name"; 
  private static final Logger LOG = Logger.getLogger(TokenHelper.class); 
  private static final Random RANDOM = new Random(); 

  private static IRedisCacheClient redisCacheClient;// 缓存调用,代替session,支持分布式 

  public static void setRedisCacheClient(IRedisCacheClient redisCacheClient) 
  { 
    TokenHelper.redisCacheClient = redisCacheClient; 
  } 

   
  public static String setToken(HttpServletRequest request) 
  { 
    return setToken(request, generateGUID()); 
  } 

   
  private static String setToken(HttpServletRequest request, String tokenName) 
  { 
    String token = generateGUID(); 
    setCacheToken(request, tokenName, token); 
    return token; 
  } 

   
  private static void setCacheToken(HttpServletRequest request, String tokenName, String token) 
  { 
    try 
    { 
      String tokenName0 = buildTokenCacheAttributeName(tokenName); 
      redisCacheClient.listLpush(tokenName0, token); 
      request.setAttribute(TOKEN_NAME_FIELD, tokenName); 
      request.setAttribute(tokenName, token); 
    } 
    catch(IllegalStateException e) 
    { 
      String msg = "Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: " + e.getMessage(); 
      LOG.error(msg, e); 
      throw new IllegalArgumentException(msg); 
    } 
  } 

   
  public static String buildTokenCacheAttributeName(String tokenName) 
  { 
    return TOKEN_NAMESPACE + "." + tokenName; 
  } 

   
  public static String getToken(HttpServletRequest request, String tokenName) 
  { 
    if(tokenName == null) 
    { 
      return null; 
    } 
    Map params = request.getParameterMap(); 
    String[] tokens = (String[]) (String[]) params.get(tokenName); 
    String token; 
    if((tokens == null) || (tokens.length < 1)) 
    { 
      LOG.warn("Could not find token mapped to token name " + tokenName); 
      return null; 
    } 

    token = tokens[0]; 
    return token; 
  } 

   
  public static String getTokenName(HttpServletRequest request) 
  { 
    Map params = request.getParameterMap(); 

    if(!params.containsKey(TOKEN_NAME_FIELD)) 
    { 
      LOG.warn("Could not find token name in params."); 
      return null; 
    } 

    String[] tokenNames = (String[]) params.get(TOKEN_NAME_FIELD); 
    String tokenName; 

    if((tokenNames == null) || (tokenNames.length < 1)) 
    { 
      LOG.warn("Got a null or empty token name."); 
      return null; 
    } 

    tokenName = tokenNames[0]; 

    return tokenName; 
  } 

   
  public static boolean validToken(HttpServletRequest request) 
  { 
    String tokenName = getTokenName(request); 

    if(tokenName == null) 
    { 
      LOG.debug("no token name found -> Invalid token "); 
      return false; 
    } 

    String token = getToken(request, tokenName); 

    if(token == null) 
    { 
      if(LOG.isDebugEnabled()) 
      { 
 LOG.debug("no token found for token name " + tokenName + " -> Invalid token "); 
      } 
      return false; 
    } 

    String tokenCacheName = buildTokenCacheAttributeName(tokenName); 
    String cacheToken = redisCacheClient.listLpop(tokenCacheName); 

    if(!token.equals(cacheToken)) 
    { 
      LOG.warn("xxx.internal.invalid.token Form token " + token + " does not match the session token " + cacheToken + "."); 
      return false; 
    } 

    // remove the token so it won't be used again 

    return true; 
  } 

  public static String generateGUID() 
  { 
    return new BigInteger(165,RANDOM).toString(36).toUpperCase(); 
  } 

} 

spring-mvc.xml

input.jsp 在form中加如下内容：

" value="<%=token %>"/> 

"/> 

当前这里也可以用类似于struts2的自定义标签来做。

以上就是本文的全部内容，希望对大家的学习有所帮助，也希望大家多多支持考高分网。