避免表单重复提交--用session实现token机制
2017-03-21 19:32
309 查看
直接拿例子来说吧!!
目录结构
web.xml
<span style="font-size:18px;"><?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>javaWeb_25</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app></span>
index.jsp
<span style="font-size:18px;"><%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>index.jsp</title> </head> <body> <form action="<%=request.getContextPath() %>/tokenServlet" method="post"> name: <input type="text" name="name"><br> <input type="submit" value="提交"> </form> </body> </html></span>
TokenServlet.java
<span style="font-size:18px;">package com.dao.chu; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class TokenServlet */ @WebServlet("/tokenServlet") public class TokenServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public TokenServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub 4000 String name = request.getParameter("name"); System.out.println("name is :"+name); request.getRequestDispatcher("/success.jsp").forward(request, response); } }
success.jsp
<span style="font-size:18px;"><%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>success.jsp</title> </head> <body> <h1>success page</h1> </body> </html></span>
运行效果
提交表单一次,并且刷新三次页面
这就是表单的重复提交
重复提交的情况:
①在表单提交到一个Servlet而Servlet又通过请求转发的方式响应了一个jsp或者是html页面,此时地址栏还保留着Servlet的路径,在响应页面点击刷新。
②在响应页面没有到达时,重复点击提交按钮。
③点击返回,再点击提交
不是重复提交的情况
①点击返回,刷新原表单页面,再点击提交
如何避免表单的重复提交
在表单中做一个标记,提交到Servlet时,检查标记是否存在且是否和预定的标记一致,若一致,则受理请求,并销毁标记,若不一致,则直接响应提示信息:重复提交。1.只写一个一个隐藏逾
<input type="hidden" name="token" value="daochuwenziyao">,不行。因为无法销毁标记。2.标记放在request中
各文件修改如下:index.jsp
<span style="font-size:18px;"><%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>index.jsp</title> </head> <body> <form action="<%=request.getContextPath() %>/tokenServlet" method="post"> <% request.setAttribute("token", "daochuwenizyao"); %> name: <input type="text" name="name"><br> <input type="submit" value="提交"> </form> </body> </html></span>
TokenServlet
package com.dao.chu; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class TokenServlet */ @WebServlet("/tokenServlet") public class TokenServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public TokenServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub String name = request.getParameter("name"); Object token = request.getAttribute("token"); if (token!=null) { request.removeAttribute("token"); }else { response.sendRedirect(request.getContextPath()+"/token.jsp");; } } }
token.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>token.jsp</title> </head> <body> <h3>对不起,您已经提交过了</h3> </body> </html>
也不行,因为表单页面刷新后request已经被销毁,再提交表单是一个新的request。
3.标记放在session中.
index.jsp
<span style="font-size:18px;"><%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>index.jsp</title> </head> <body> <form action="<%=request.getContextPath() %>/tokenServlet" method="post"> <% session.setAttribute("token", "daochuwenizyao"); %> name: <input type="text" name="name"><br> <input type="submit" value="提交"> </form> </body> </html></span>
TokenServlet.Java
package com.dao.chu; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Servlet implementation class TokenServlet */ @WebServlet("/tokenServlet") public class TokenServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public TokenServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub HttpSession session = request.getSession(); Object token = session.getAttribute("token"); if (token!=null) { session.removeAttribute("token"); }else { response.sendRedirect(request.getContextPath()+"/token.jsp");; } } }
经过检测,此方法可行。
但是有时候我们需要往session中放一个随机值,后台如何取得该随机值呢,这时候需要和隐藏逾搭配使用。
index.jsp
<span style="font-size:18px;"><%@page import="java.util.Date"%> <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>index.jsp</title> </head> <body> <% String tokenValue = new Date().getTime() + ""; session.setAttribute("token", tokenValue); %> <form action="<%=request.getContextPath() %>/tokenServlet" method="post"> <input type="hidden" name="token" value="<%=tokenValue %>"> name: <input type="text" name="name"><br> <input type="submit" value="提交"> </form> </body> </html></span>
TokenServlet.java
package com.dao.chu; import java.io.IOException; import java.util.Date; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Servlet implementation class TokenServlet */ @WebServlet("/tokenServlet") public class TokenServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public TokenServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub HttpSession session = request.getSession(); String tokenValue = request.getParameter("token"); String token = (String)session.getAttribute("token"); if (token!=null && token.equals(tokenValue)) { session.removeAttribute("token"); }else { response.sendRedirect(request.getContextPath()+"/token.jsp");; } } }
经过检测,此方法可行。并且更加满足需求。
步骤:
1.在原表单页面,生成一个随机数token
2.在原表单页面,把token放在session属性中
3.在原表单页面,把token值放在隐藏逾中
4.在目标Servlet中,获取session和隐藏逾中的token值
5.比较两个值是否一致,若一致,受理请求且把session中的token属性清除,若不一致则直接显示提示页面:重复提交
使用strus1的工具类来编写代码
strus1的工具类下载地址
http://download.csdn.NET/download/zhangyw31/2706595打开
G:\struts-1.2.9-src\src\share\org\apache\struts\util\TokenProcessor.java
将TokenProcessor复制到项目中,修改两个常量即可。如果好奇可以在G:\struts-1.2.9-src\src\share\org\apache\struts\Globals中可以搜索到。
最终我们修改成如下文件:
TokenProcessor.java
/* * $Id: TokenProcessor.java 54929 2004-10-16 16:38:42Z germuska $ * * Copyright 2003-2004 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.dao.chu; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; im cacd port javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; /** * TokenProcessor is responsible for handling all token related functionality. The * methods in this class are synchronized to protect token processing from multiple * threads. Servlet containers are allowed to return a different HttpSession object * for two threads accessing the same session so it is not possible to synchronize * on the session. * * @since Struts 1.1 */ public class TokenProcessor { private static final String TOKEN_KEY = null; private static final String TRANSACTION_TOKEN_KEY = null; /** * The singleton instance of this class. */ private static TokenProcessor instance = new TokenProcessor(); /** * Retrieves the singleton instance of this class. */ public static TokenProcessor getInstance() { return instance; } /** * Protected constructor for TokenProcessor. Use TokenProcessor.getInstance() * to obtain a reference to the processor. */ protected TokenProcessor() { super(); } /** * The timestamp used most recently to generate a token value. */ private long previous; /** * Return <code>true</code> if there is a transaction token stored in * the user's current session, and the value submitted as a request * parameter with this action matches it. Returns <code>false</code> * under any of the following circumstances: * <ul> * <li>No session associated with this request</li> * <li>No transaction token saved in the session</li> * <li>No transaction token included as a request parameter</li> * <li>The included transaction token value does not match the * transaction token in the user's session</li> * </ul> * * @param request The servlet request we are processing */ public synchronized boolean isTokenValid(HttpServletRequest request) { return this.isTokenValid(request, false); } /** * Return <code>true</code> if there is a transaction token stored in * the user's current session, and the value submitted as a request * parameter with this action matches it. Returns <code>false</code> * <ul> * <li>No session associated with this request</li> * <li>No transaction token saved in the session</li> * <li>No transaction token included as a request parameter</li> * <li>The included transaction token value does not match the * transaction token in the user's session</li> * </ul> * * @param request The servlet request we are processing * @param reset Should we reset the token after checking it? */ public synchronized boolean isTokenValid( HttpServletRequest request, boolean reset) { // Retrieve the current session for this request HttpSession session = request.getSession(false); if (session == null) { return false; } // Retrieve the transaction token from this session, and // reset it if requested String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY); if (saved == null) { return false; } if (reset) { this.resetToken(request); } // Retrieve the transaction token included in this request String token = request.getParameter(TOKEN_KEY); if (token == null) { return false; } return saved.equals(token); } /** * Reset the saved transaction token in the user's session. This * indicates that transactional token checking will not be needed * on the next request that is submitted. * * @param request The servlet request we are processing */ public synchronized void resetToken(HttpServletRequest request) { HttpSession session = request.getSession(false); if (session == null) { return; } session.removeAttribute(TRANSACTION_TOKEN_KEY); } /** * Save a new transaction token in the user's current session, creating * a new session if necessary. * * @param request The servlet request we are processing */ public synchronized void saveToken(HttpServletRequest request) { HttpSession session = request.getSession(); String token = generateToken(request); if (token != null) { session.setAttribute(TRANSACTION_TOKEN_KEY, token); } } /** * Generate a new transaction token, to be used for enforcing a single * request for a particular transaction. * * @param request The request we are processing */ public synchronized String generateToken(HttpServletRequest request) { HttpSession session = request.getSession(); try { byte id[] = session.getId().getBytes(); long current = System.currentTimeMillis(); if (current == previous) { current++; } previous = current; byte now[] = new Long(current).toString().getBytes(); MessageDigest md = MessageDigest.getInstance("MD5"); md.update(id); md.update(now); return toHex(md.digest()); } catch (NoSuchAlgorithmException e) { return null; } } /** * Convert a byte array to a String of hexadecimal digits and return it. * @param buffer The byte array to be converted */ private String toHex(byte buffer[]) { StringBuffer sb = new StringBuffer(buffer.length * 2); for (int i = 0; i < buffer.length; i++) { sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16)); sb.append(Character.forDigit(buffer[i] & 0x0f, 16)); } return sb.toString(); } }
项目结构
index.jsp
<span style="font-size:18px;"><%@page import="com.dao.chu.TokenProcessor"%> <%@page import="java.util.Date"%> <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>index.jsp</title> </head> <body> <form action="<%=request.getContextPath() %>/tokenServlet" method="post"> <!-- 两个作用 1.产生一个随机值 2.tokenValue放在session中 --> <input type="hidden" name="TOKEN_KEY" value="<%=TokenProcessor.getInstance().saveToken(request) %>"> name: <input type="text" name="name"><br> <input type="submit" value="提交"> </form> </body> </html></span>
TokenServlet.java
package com.dao.chu; import java.io.IOException; import java.util.Date; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Servlet implementation class TokenServlet */ @WebServlet("/tokenServlet") public class TokenServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public TokenServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub boolean tokenValid = TokenProcessor.getInstance().isTokenValid(request); if (tokenValid) { TokenProcessor.getInstance().resetToken(request); } else { response.sendRedirect(request.getContextPath()+"/token.jsp");; } } }
可以看出这样写代码复用性很高。
运行效果
正常情况下可以提交,一旦发生重复提交,则会跳转到另外一个页面。转自http://blog.csdn.net/daochuwenziyao/article/details/60592188
相关文章推荐
- 避免表单重复提交(js实现)
- 使用Struts的Token机制解决表单的重复提交
- 使用struts同步令牌机制避免表单的重复提交
- 使用Struts的Token机制解决表单的重复提交
- 使用struts2的token机制和cookie来防止表单重复提交
- 用Struts的Token机制解决表单重复提交
- 我对servlet+jsp当中使用token令牌避免用户重复提交表单的见解
- 使用Struts的Token机制解决表单的重复提交
- 不用struts2的token机制,手动防止表单数据重复提交
- 使用struts同步令牌机制避免表单的重复提交
- 用Struts的Token机制解决表单重复提交
- javaEE开发中使用session同步和token机制来防止并发重复提交
- 避免表单重复提交(js实现) (转)
- 利用Session防止表单重复提交(token)
- 使用Struts的Token机制解决表单的重复提交
- 使用Struts的Token机制解决表单的重复提交
- javaEE开发中使用session同步和token机制来防止并发重复提交
- PHP实现防止表单重复提交功能【基于token验证】
- Struts的Token(令牌)机制解决表单重复提交的问题
- 使用token在服务器端避免表单的重复提交