前言
今天发了三篇博客,咋一看这三篇博客毫无联系,网上很多博客也多是将这三篇博客作为三篇不同的主题发表。如果你不将这三篇博客联系起来看,就不能很透彻的防重复提交这个知识点,也不能学完整这个知识体系。为什么说这三篇文章要关联看,我在第三篇博客 springmvc下的基于token的防重复提交 里会阐述原因.下面要讲的三篇博客:
3 springmvc下的基于token的防重复提交:http://blog.csdn.net/wabiaozia/article/details/52065065 2 总结 XSS 与 CSRF 两种跨站攻击:http://blog.csdn.net/wabiaozia/article/details/52064849 1 外刊IT评论:防止表单重复提交的几种策略:http://blog.csdn.net/wabiaozia/article/details/52064772
由于"springmvc下的基于token的防重复提交"网上demo很多,我就不写了,直接拷来一篇。
正文
原文出处:http://blog.csdn.net/mylovepan/article/details/38894941
问题描述:
现在的网站在注册步骤中,由于后台要处理大量信息,造成响应变慢(测试机器性能差也是造成变慢的一个因素),在前端页面提交信息之前,等待后端响应,此时如果用户 再点一次提交按钮,后台会保存多份用户信息。为解决此问题,借鉴了struts2的token思路,在springmvc下实现token。
实现思路:
在springmvc配置文件中加入拦截器的配置,拦截两类请求,一类是到页面的,一类是提交表单的。当转到页面的请求到来时,生成token的名字和token值,一份放到redis缓存中,一份放传给页面表单的隐藏域。(注:这里之所以使用redis缓存,是因为tomcat服务器是集群部署的,要保证token的存储介质是全局线程安全的,而redis是单线程的)
当表单请求提交时,拦截器得到参数中的tokenName和token,然后到缓存中去取token值,如果能匹配上,请求就通过,不能匹配上就不通过。这里的tokenName生成时也是随机的,每次请求都不一样。而从缓存中取token值时,会立即将其删除(删与读是原子的,无线程安全问题)。
实现方式:
TokenInterceptor.java
package com.xxx.www.common.interceptor; import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import com.xxx.cache.redis.IRedisCacheClient; import com.xxx.common.utility.JsonUtil; import com.xxx.www.common.utils.TokenHelper; public class TokenInterceptor extends HandlerInterceptorAdapter { private static Logger log = Logger.getLogger(TokenInterceptor. class ); private static Map<String , String> viewUrls = new HashMap<String , String>(); private static Map<String , String> actionUrls = new HashMap<String , String>(); private Object clock = new Object(); @Autowired private IRedisCacheClient redisCacheClient; static { viewUrls.put("/user/regc/brandregnamecard/" , "GET" ); viewUrls.put("/user/regc/regnamecard/" , "GET" ); actionUrls.put("/user/regc/brandregnamecard/" , "POST" ); actionUrls.put("/user/regc/regnamecard/" , "POST" ); } { TokenHelper.setRedisCacheClient(redisCacheClient); } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { String url = request.getRequestURI(); String method = request.getMethod(); if (viewUrls.keySet().contains(url) && ((viewUrls.get(url)) == null || viewUrls.get(url).equals(method))) { TokenHelper.setToken(request); return true ; } else if (actionUrls.keySet().contains(url) && ((actionUrls.get(url)) == null || actionUrls.get(url).equals(method))) { log.debug("Intercepting invocation to check for valid transaction token." ); return handleToken(request, response, handler); } return true ; } protected boolean handleToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { synchronized (clock) { if (!TokenHelper.validToken(request)) { System.out.println("未通过验证..." ); return handleInvalidToken(request, response, handler); } } System.out.println("通过验证..." ); return handleValidToken(request, response, handler); } protected boolean handleInvalidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { Map<String , Object> data = new HashMap<String , Object>(); data.put("flag" , 0 ); data.put("msg" , "请不要频繁操作!" ); writeMessageUtf8(response, data); return false ; } protected boolean handleValidToken(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { return true ; } private void writeMessageUtf8(HttpServletResponse response, Map<String , Object> json) throws IOException { try { response.setCharacterEncoding("UTF-8" ); response.getWriter().print(JsonUtil.toJson(json)); } finally { response.getWriter().close(); } } }
TokenHelper.java
package com.xxx.www.common.utils; import java.math.BigInteger; import java.util.Map; import java.util.Random; import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; import com.xxx.cache.redis.IRedisCacheClient; public class TokenHelper { public static final String TOKEN_NAMESPACE = "xxx.tokens" ; public static final String TOKEN_NAME_FIELD = "xxx.token.name" ; private static final Logger LOG = Logger.getLogger(TokenHelper. class ); private static final Random RANDOM = new Random(); private static IRedisCacheClient redisCacheClient; public static void setRedisCacheClient(IRedisCacheClient redisCacheClient) { TokenHelper.redisCacheClient = redisCacheClient; } public static String setToken(HttpServletRequest request) { return setToken(request, generateGUID()); } private static String setToken(HttpServletRequest request, String tokenName) { String token = generateGUID(); setCacheToken(request, tokenName, token); return token; } private static void setCacheToken(HttpServletRequest request, String tokenName, String token) { try { String tokenName0 = buildTokenCacheAttributeName(tokenName); redisCacheClient.listLpush(tokenName0, token); request.setAttribute(TOKEN_NAME_FIELD, tokenName); request.setAttribute(tokenName, token); } catch (IllegalStateException e) { String msg = "Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: " + e.getMessage(); LOG.error(msg, e); throw new IllegalArgumentException(msg); } } public static String buildTokenCacheAttributeName(String tokenName) { return TOKEN_NAMESPACE + "." + tokenName; } public static String getToken(HttpServletRequest request, String tokenName) { if (tokenName == null ) { return null ; } Map params = request.getParameterMap(); String[] tokens = (String[]) (String[]) params.get(tokenName); String token; if ((tokens == null ) || (tokens.length < 1 )) { LOG.warn("Could not find token mapped to token name " + tokenName); return null ; } token = tokens[0 ]; return token; } public static String getTokenName(HttpServletRequest request) { Map params = request.getParameterMap(); if (!params.containsKey(TOKEN_NAME_FIELD)) { LOG.warn("Could not find token name in params." ); return null ; } String[] tokenNames = (String[]) params.get(TOKEN_NAME_FIELD); String tokenName; if ((tokenNames == null ) || (tokenNames.length < 1 )) { LOG.warn("Got a null or empty token name." ); return null ; } tokenName = tokenNames[0 ]; return tokenName; } public static boolean validToken(HttpServletRequest request) { String tokenName = getTokenName(request); if (tokenName == null ) { LOG.debug("no token name found -> Invalid token " ); return false ; } String token = getToken(request, tokenName); if (token == null ) { if (LOG.isDebugEnabled()) { LOG.debug("no token found for token name " + tokenName + " -> Invalid token " ); } return false ; } String tokenCacheName = buildTokenCacheAttributeName(tokenName); String cacheToken = redisCacheClient.listLpop(tokenCacheName); if (!token.equals(cacheToken)) { LOG.warn("xxx.internal.invalid.token Form token " + token + " does not match the session token " + cacheToken + "." ); return false ; } return true ; } public static String generateGUID() { return new BigInteger( 165 , RANDOM).toString( 36 ).toUpperCase(); } }
spring-mvc.xml
< bean id = "tokenInterceptor" class = "com.xxx.www.common.interceptor.TokenInterceptor" > </ bean > < bean class = "org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" > < property name = "interceptors" > < list > < ref bean = "tokenInterceptor" /> </ list > </ property > </ bean >
input.jsp 在form中加如下内容:
< input type = "hidden" name =" < %=request.getAttribute(" xxx .token.name") % > " value = "<%=token %>" /> < input type = "hidden" name = "xxx.token.name" value =" < %=request.getAttribute(" xxx .token.name") % > " />
当前这里也可以用类似于struts2的自定义标签来做。
另:公司域名做了隐藏,用xxx替换了。
为什么用redis不用tomcat的session存token?
http://www.cnblogs.com/jiangu66/p/3241093.html
session存储和同步 由于默认tomcat使用内存管理session,在集群环境下,上述的做法将会存在不一致问题。比如用户从A服务器获取了表单和token,但是提交表单时候却往B服务器提交,这样B服务器判断用户为csrf攻击,所以,用session管理涉及道同步问题。当然,另一个做法是把cookie当session用,把csrf的token放在用户的cookie中。但是,为了避免泄漏token,需要对token进行加密,和进行http only的设置,后者避免js对cookie中的token进行访问。
-------------------------------------------------------------------------------------------------------------------------------------------
我博客所有文章目录: 点击打开链接