一,原理:
1,在进入到提交页面时,使用拦截器拦截在进入此方法前,生成一个token,放到session中,
@RequestMapping(value = "/{id}/details") @FormToken(produce = true) public Object details(@PathVariable String id, HttpServletRequest request){ Map<String,Object> map = new HashMap<>(); GameInfo gameInfo; int count; try { gameInfo = gameInfoService.get(id, -1); // 使用此游戏的活动数 count = activityService.getCountByGid(id); gameInfo.setCount(count); } catch (TException e) { LOGGER.debug("获取指定游戏详情失败!!", e); return new MessageEntity.Builder(request).msg("跳转预览页面失败").code(201).success(false) .create(); } map.put("gameInfo",gameInfo); return new MessageEntity.Builder(request).msg("success").code(201).content(map).success(true) .create(); }
@FormToken此标签:
package com.caobug.client.annotation; import java.lang.annotation.*; /** * TOKEN生成与删除 * Created by caobug on 14-8-15. */ @Target(ElementType.METHOD) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface FormToken { /** * 是否在页面生成TOKEN * * @return */ boolean produce() default false; /** * 是否删除旧 TOKEN * * @return */ boolean remove() default false; }
实现一个拦截器接口
package com.caobug.client.support.interceptor; import com.caobug.client.annotation.FormToken; import com.caobug.client.support.MessageCode; import com.caobug.client.support.MessageEntity; import com.caobug.client.support.utils.TokenUtils; import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.lang3.StringUtils; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.PrintWriter; import java.lang.reflect.Method; /** * Token 拦截器 * <p/> * Created by caobug on 14-8-15. */ public class FormTokenInterceptor extends HandlerInterceptorAdapter { public final static String TOKEN_NAME = "resubmitToken"; /** * 方法处理前处理 * * @param request * @param response * @param handler * @return * @throws Exception */ @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { HandlerMethod handlerMethod = (HandlerMethod) handler; Method method = handlerMethod.getMethod(); FormToken formToken = method.getAnnotation(FormToken.class); if (null != formToken) { if ((formToken.produce() && formToken.remove()) || (!formToken.produce() && !formToken.remove())) { throw new RuntimeException("请不要在同一个方法上同时注解:@FormToken(remove = true/false, produce = true/false)"); } else if (formToken.produce()) { request.getSession().setAttribute(TOKEN_NAME, TokenUtils.getToken()); } else if (formToken.remove()) { String serverToken = (String) request.getSession().getAttribute(TOKEN_NAME); String clientToken = request.getParameter(TOKEN_NAME); request.getSession().removeAttribute(TOKEN_NAME); // remove token if (!StringUtils.equals(serverToken, clientToken)) { if (null != method.getAnnotation(ResponseBody.class)) { // JSON response.setContentType(MediaType.APPLICATION_JSON_VALUE); PrintWriter out = response.getWriter(); out.print(new ObjectMapper().writeValueAsString(new MessageEntity.Builder(null). code(MessageCode.SEND_MULTIPLE).msg("无效请求,请刷新页面后重试").create())); out.flush(); out.close(); } else { // 普通页面 request.getRequestDispatcher("/error/invalidRequest").forward(request, response); } return false; } } } return super.preHandle(request, response, handler); } }
xml配置:
<bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping"> <property name="interceptors"> <list> <bean class="com.caobug.client.support.interceptor.FormTokenInterceptor"/> </list> </property> </bean>
2,在提交页面中接收到这个值:
<input type="hidden" name="token" value="${token}" />
3,提交处理;
@RequestMapping("/SaveDataController/saveData") @ResponseBody @FormToken(remove=true) public void saveData(HttpServletRequest request,HttpServletResponse response, String tablename,String trowkey,String columns, String indextablename,String irowkey,String icolumns, String task_id,String savetype,String memoryCodes){ System.out.println(task_id); saveDataService.saveData(task_id,savetype,memoryCodes,tablename, trowkey, columns, indextablename, irowkey, icolumns); }
4,第一次提交时,在还没进入到提交页面时,就在服务器端生成一个token(拦截器做出此动作),把此token传递给提交页面,点击“提交”按钮,进入到处理的method方法,拦截此方法,在拦截器中把session的值清空,对比两个token,
http://www.cnblogs.com/hdwpdx/archive/2016/03/29/5333943.html