避免表单重复提交--用session实现token机制

直接拿例子来说吧!!

目录结构


避免表单重复提交--用session实现token机制_第1张图片



web.xml

      
      
      javaWeb_25  
        
        index.jsp  
        
      

index.jsp

   <%@ page language="java" contentType="text/html; charset=UTF-8"  
        pageEncoding="UTF-8"%>  
      
      
      
      
    index.jsp  
      
      
        
name:



TokenServlet.java

package com.dao.chu;  
  
import java.io.IOException;  
  
import javax.servlet.ServletException;  
import javax.servlet.annotation.WebServlet;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
  
/** 
 * Servlet implementation class TokenServlet 
 */  
@WebServlet("/tokenServlet")  
public class TokenServlet extends HttpServlet {  
    private static final long serialVersionUID = 1L;  
         
    /** 
     * @see HttpServlet#HttpServlet() 
     */  
    public TokenServlet() {  
        super();  
        // TODO Auto-generated constructor stub  
    }  
  
    /** 
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 
     */  
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {  
        // TODO Auto-generated method stub  
          
        String name = request.getParameter("name");  
          
        System.out.println("name is :"+name);  
          
        request.getRequestDispatcher("/success.jsp").forward(request, response);  
    }  
  
}


success.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"  
    pageEncoding="UTF-8"%>  
  
  
  
  
success.jsp  
  
  
    

success page



运行效果


避免表单重复提交--用session实现token机制_第2张图片



提交表单一次,并且刷新三次页面



避免表单重复提交--用session实现token机制_第3张图片


这就是表单的重复提交



重复提交的情况:

①在表单提交到一个Servlet而Servlet又通过请求转发的方式响应了一个jsp或者是html页面,此时地址栏还保留着Servlet的路径,在响应页面点击刷新。

②在响应页面没有到达时,重复点击提交按钮。

③点击返回,再点击提交


不是重复提交的情况

①点击返回,刷新原表单页面,再点击提交


如何避免表单的重复提交

在表单中做一个标记,提交到Servlet时,检查标记是否存在且是否和预定的标记一致,若一致,则受理请求,并销毁标记,若不一致,则直接响应提示信息:重复提交。



1.只写一个一个隐藏逾

,不行。因为无法销毁标记。

2.标记放在request中

各文件修改如下:


index.jsp

    <%@ page language="java" contentType="text/html; charset=UTF-8"  
        pageEncoding="UTF-8"%>  
      
      
      
      
    index.jsp  
      
      
      
      
        
<% request.setAttribute("token", "daochuwenizyao"); %> name:

TokenServlet

package com.dao.chu;  
  
import java.io.IOException;  
  
import javax.servlet.ServletException;  
import javax.servlet.annotation.WebServlet;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
  
/** 
 * Servlet implementation class TokenServlet 
 */  
@WebServlet("/tokenServlet")  
public class TokenServlet extends HttpServlet {  
    private static final long serialVersionUID = 1L;  
         
    /** 
     * @see HttpServlet#HttpServlet() 
     */  
    public TokenServlet() {  
        super();  
        // TODO Auto-generated constructor stub  
    }  
  
    /** 
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 
     */  
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {  
        // TODO Auto-generated method stub  
          
        String name = request.getParameter("name");  
        Object token =  request.getAttribute("token");  
          
        if (token!=null) {  
              
            request.removeAttribute("token");  
              
        }else {  
            response.sendRedirect(request.getContextPath()+"/token.jsp");;  
        }  
          
          
          
    }  
  
} 


token.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"  
    pageEncoding="UTF-8"%>  
  
  
  
  
token.jsp  
  
  
  
    

对不起,您已经提交过了




也不行,因为表单页面刷新后request已经被销毁,再提交表单是一个新的request。




3.标记放在session中.


避免表单重复提交--用session实现token机制_第4张图片


index.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"  
    pageEncoding="UTF-8"%>  
  
  
  
  
index.jsp  
  
  
  
  
    
<% session.setAttribute("token", "daochuwenizyao"); %> name:

TokenServlet.Java

package com.dao.chu;  
  
import java.io.IOException;  
  
import javax.servlet.ServletException;  
import javax.servlet.annotation.WebServlet;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import javax.servlet.http.HttpSession;  
  
/** 
 * Servlet implementation class TokenServlet 
 */  
@WebServlet("/tokenServlet")  
public class TokenServlet extends HttpServlet {  
    private static final long serialVersionUID = 1L;  
         
    /** 
     * @see HttpServlet#HttpServlet() 
     */  
    public TokenServlet() {  
        super();  
        // TODO Auto-generated constructor stub  
    }  
  
    /** 
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 
     */  
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {  
        // TODO Auto-generated method stub  
          
        HttpSession session = request.getSession();  
          
        Object token =  session.getAttribute("token");  
          
        if (token!=null) {  
              
            session.removeAttribute("token");  
              
        }else {  
            response.sendRedirect(request.getContextPath()+"/token.jsp");;  
        }  
          
          
          
    }  
  
}



经过检测,此方法可行。

但是有时候我们需要往session中放一个随机值,后台如何取得该随机值呢,这时候需要和隐藏逾搭配使用。


index.jsp

    <%@page import="java.util.Date"%>  
    <%@ page language="java" contentType="text/html; charset=UTF-8"  
        pageEncoding="UTF-8"%>  
      
      
      
      
    index.jsp  
      
      
        <%  
            String tokenValue = new Date().getTime() + "";  
            session.setAttribute("token", tokenValue);  
        %>  
      
        
name:



TokenServlet.java

package com.dao.chu;  
  
import java.io.IOException;  
import java.util.Date;  
  
import javax.servlet.ServletException;  
import javax.servlet.annotation.WebServlet;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import javax.servlet.http.HttpSession;  
  
/** 
 * Servlet implementation class TokenServlet 
 */  
@WebServlet("/tokenServlet")  
public class TokenServlet extends HttpServlet {  
    private static final long serialVersionUID = 1L;  
         
    /** 
     * @see HttpServlet#HttpServlet() 
     */  
    public TokenServlet() {  
        super();  
        // TODO Auto-generated constructor stub  
    }  
  
    /** 
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 
     */  
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {  
        // TODO Auto-generated method stub  
          
        HttpSession session = request.getSession();  
          
        String tokenValue = request.getParameter("token");  
        String token = (String)session.getAttribute("token");  
          
          
        if (token!=null && token.equals(tokenValue)) {  
              
            session.removeAttribute("token");  
              
        }else {  
            response.sendRedirect(request.getContextPath()+"/token.jsp");;  
        }  
          
          
          
    }  
  
}


经过检测,此方法可行。并且更加满足需求。


步骤:

1.在原表单页面,生成一个随机数token

2.在原表单页面,把token放在session属性中

3.在原表单页面,把token值放在隐藏逾中

4.在目标Servlet中,获取session和隐藏逾中的token值

5.比较两个值是否一致,若一致,受理请求且把session中的token属性清除,若不一致则直接显示提示页面:重复提交



使用strus1的工具类来编写代码

strus1的工具类


下载地址

http://download.csdn.NET/download/zhangyw31/2706595


打开

G:\struts-1.2.9-src\src\share\org\apache\struts\util\TokenProcessor.java


将TokenProcessor复制到项目中,修改两个常量即可。如果好奇可以在G:\struts-1.2.9-src\src\share\org\apache\struts\Globals中可以搜索到。

最终我们修改成如下文件:


TokenProcessor.java

    /* 
     * $Id: TokenProcessor.java 54929 2004-10-16 16:38:42Z germuska $  
     * 
     * Copyright 2003-2004 The Apache Software Foundation. 
     *  
     * Licensed under the Apache License, Version 2.0 (the "License"); 
     * you may not use this file except in compliance with the License. 
     * You may obtain a copy of the License at 
     *  
     *      http://www.apache.org/licenses/LICENSE-2.0 
     *  
     * Unless required by applicable law or agreed to in writing, software 
     * distributed under the License is distributed on an "AS IS" BASIS, 
     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
     * See the License for the specific language governing permissions and 
     * limitations under the License. 
     */  
      
    package com.dao.chu;  
      
    import java.security.MessageDigest;  
    import java.security.NoSuchAlgorithmException;  
      
    import javax.servlet.http.HttpServletRequest;  
    import javax.servlet.http.HttpSession;  
      
      
    /** 
     * TokenProcessor is responsible for handling all token related functionality.  The  
     * methods in this class are synchronized to protect token processing from multiple 
     * threads.  Servlet containers are allowed to return a different HttpSession object 
     * for two threads accessing the same session so it is not possible to synchronize  
     * on the session. 
     *  
     * @since Struts 1.1 
     */  
    public class TokenProcessor {  
      
        private static final String TOKEN_KEY = null;  
        private static final String TRANSACTION_TOKEN_KEY = null;  
        /** 
         * The singleton instance of this class. 
         */  
        private static TokenProcessor instance = new TokenProcessor();  
      
        /** 
         * Retrieves the singleton instance of this class. 
         */  
        public static TokenProcessor getInstance() {  
            return instance;  
        }  
      
        /** 
         * Protected constructor for TokenProcessor.  Use TokenProcessor.getInstance() 
         * to obtain a reference to the processor. 
         */  
        protected TokenProcessor() {  
            super();  
        }  
      
        /** 
         * The timestamp used most recently to generate a token value. 
         */  
        private long previous;  
      
        /** 
         * Return true if there is a transaction token stored in 
         * the user's current session, and the value submitted as a request 
         * parameter with this action matches it.  Returns false 
         * under any of the following circumstances: 
         * 
    *
  • No session associated with this request
  • *
  • No transaction token saved in the session
  • *
  • No transaction token included as a request parameter
  • *
  • The included transaction token value does not match the * transaction token in the user's session
  • *
* * @param request The servlet request we are processing */ public synchronized boolean isTokenValid(HttpServletRequest request) { return this.isTokenValid(request, false); } /** * Return true if there is a transaction token stored in * the user's current session, and the value submitted as a request * parameter with this action matches it. Returns false *
    *
  • No session associated with this request
  • *
  • No transaction token saved in the session
  • *
  • No transaction token included as a request parameter
  • *
  • The included transaction token value does not match the * transaction token in the user's session
  • *
* * @param request The servlet request we are processing * @param reset Should we reset the token after checking it? */ public synchronized boolean isTokenValid( HttpServletRequest request, boolean reset) { // Retrieve the current session for this request HttpSession session = request.getSession(false); if (session == null) { return false; } // Retrieve the transaction token from this session, and // reset it if requested String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY); if (saved == null) { return false; } if (reset) { this.resetToken(request); } // Retrieve the transaction token included in this request String token = request.getParameter(TOKEN_KEY); if (token == null) { return false; } return saved.equals(token); } /** * Reset the saved transaction token in the user's session. This * indicates that transactional token checking will not be needed * on the next request that is submitted. * * @param request The servlet request we are processing */ public synchronized void resetToken(HttpServletRequest request) { HttpSession session = request.getSession(false); if (session == null) { return; } session.removeAttribute(TRANSACTION_TOKEN_KEY); } /** * Save a new transaction token in the user's current session, creating * a new session if necessary. * * @param request The servlet request we are processing */ public synchronized void saveToken(HttpServletRequest request) { HttpSession session = request.getSession(); String token = generateToken(request); if (token != null) { session.setAttribute(TRANSACTION_TOKEN_KEY, token); } } /** * Generate a new transaction token, to be used for enforcing a single * request for a particular transaction. * * @param request The request we are processing */ public synchronized String generateToken(HttpServletRequest request) { HttpSession session = request.getSession(); try { byte id[] = session.getId().getBytes(); long current = System.currentTimeMillis(); if (current == previous) { current++; } previous = current; byte now[] = new Long(current).toString().getBytes(); MessageDigest md = MessageDigest.getInstance("MD5"); md.update(id); md.update(now); return toHex(md.digest()); } catch (NoSuchAlgorithmException e) { return null; } } /** * Convert a byte array to a String of hexadecimal digits and return it. * @param buffer The byte array to be converted */ private String toHex(byte buffer[]) { StringBuffer sb = new StringBuffer(buffer.length * 2); for (int i = 0; i < buffer.length; i++) { sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16)); sb.append(Character.forDigit(buffer[i] & 0x0f, 16)); } return sb.toString(); } }

项目结构


避免表单重复提交--用session实现token机制_第5张图片



index.jsp

    <%@page import="com.dao.chu.TokenProcessor"%>  
    <%@page import="java.util.Date"%>  
    <%@ page language="java" contentType="text/html; charset=UTF-8"  
        pageEncoding="UTF-8"%>  
      
      
      
      
    index.jsp  
      
      
      
        
name:

TokenServlet.java

package com.dao.chu;  
  
import java.io.IOException;  
import java.util.Date;  
  
import javax.servlet.ServletException;  
import javax.servlet.annotation.WebServlet;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import javax.servlet.http.HttpSession;  
  
/** 
 * Servlet implementation class TokenServlet 
 */  
@WebServlet("/tokenServlet")  
public class TokenServlet extends HttpServlet {  
    private static final long serialVersionUID = 1L;  
         
    /** 
     * @see HttpServlet#HttpServlet() 
     */  
    public TokenServlet() {  
        super();  
        // TODO Auto-generated constructor stub  
    }  
  
    /** 
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 
     */  
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {  
        // TODO Auto-generated method stub  
          
        boolean tokenValid = TokenProcessor.getInstance().isTokenValid(request);  
          
          
        if (tokenValid) {  
              
            TokenProcessor.getInstance().resetToken(request);  
        }  
        else {  
              
            response.sendRedirect(request.getContextPath()+"/token.jsp");;  
        }  
          
    }  
  
}

可以看出这样写代码复用性很高。


运行效果

正常情况下可以提交,一旦发生重复提交,则会跳转到另外一个页面。


避免表单重复提交--用session实现token机制_第6张图片

转自http://blog.csdn.net/daochuwenziyao/article/details/60592188

你可能感兴趣的:(java)