首先创建一个自定义的注解:
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface Token {
boolean create() default false;
boolean remove() default false;
}
在跳转页面的方法上加上:@Token(create = true),在提交的action方法上加上:@Token(remove = true)
然后写一个拦截器:
public class TokenInterceptor extends HandlerInterceptorAdapter {
private Logger logger = Logger.getLogger(TokenInterceptor.class); private static final String TOKEN = "token";
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
// 如果这是一个处理接口
if (handler instanceof HandlerMethod) {
// 获取handler的方法
Method method = ((HandlerMethod) handler).getMethod();
// 获取handler的注解
Token annotation = method.getAnnotation(Token.class);
if (annotation != null) { // 如果请求接口中有@Token注解
// 获取session
HttpSession session = request.getSession();
// token的 create 值
boolean create = annotation.create();
if (create) {
// 创建token然后加入到session中
session.setAttribute(TOKEN, UUID.randomUUID().toString()); return true;
}
// token remove值
boolean remove = annotation.remove();
if (remove) {
if (isRepeatSubmit(request)) {
logger.warn("表单不能重复提交:" + request.getRequestURL());
return false;
}
// 从session中移除token
session.removeAttribute(TOKEN);
}
}
} else {
return super.preHandle(request, response, handler);
}
return true;
}
private boolean isRepeatSubmit(HttpServletRequest request) {
String token = (String) request.getSession().getAttribute(TOKEN);
if (token == null) {
return true;
}
String reqToken = request.getParameter(TOKEN);
if (reqToken == null) {
return true;
}
if (!token.equals(reqToken)) {
return true; } return false;
}
}
然后配置这个拦截器:
<!--配置拦截器 -->
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="com.example.web.interceptor.TokenInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
表单添加token:
<input type="hidden" id="token" name="token" value="$!{session.getAttribute('token')}"/>
请求的时候要把token带进去