Principle: In the new page, the session saves the random code of the token. When it is saved, it is verified, and it is deleted after passing. When the save is clicked again, because the session on the server side no longer exists, all verification cannot be passed.
注解Token代码:
@Target
(ElementType.METHOD)
@Retention
(RetentionPolicy.RUNTIME)
public
@interface
Token {
boolean
save()
default
false;
boolan
remove()
default
false
;
}
Interceptor TokenInterceptor code:
public
class
TokenInterceptor
extends
HandlerInterceptorAdapter {
@Override
public
boolean
preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws
Exception {
if
(handler
instanceof
HandlerMethod) {
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
Token annotation = method.getAnnotation(Token.
class
);
if
(annotation !=
null
) {
boolean
needSaveSession = annotation.save();
if
(needSaveSession) {
request.getSession(
false
).setAttribute(
"token"
, UUID.randomUUID().toString());
}
boolean
needRemoveSession = annotation.remove();
if
(needRemoveSession) {
if
(isRepeatSubmit(request)) {
return
false
;
}
request.getSession(
false
).removeAttribute(
"token"
);
}
}
return
true
;
}
else
{
return
super
.preHandle(request, response, handler);
}
}
private
boolean
isRepeatSubmit(HttpServletRequest request) {
String serverToken = (String) request.getSession(
false
).getAttribute(
"token"
);
if
(serverToken ==
null
) {
return
true
;
}
String clinetToken = request.getParameter(
"token"
);
if
(clinetToken ==
null
) {
return
true
;
}
if
(!serverToken.equals(clinetToken)) {
return
true
;
}
return
false
;
}
}
Then add in the Spring MVC configuration file:
<!-- 拦截器配置 -->
<
mvc:interceptors
>
<!-- 配置Token拦截器,防止用户重复提交数据 -->
<
mvc:interceptor
>
<
mvc:mapping
path
=
"/**"
/>
<
bean
class
=
"com.storezhang.web.spring.TokenInterceptor"
/>
</
mvc:interceptor
>
</
mvc:interceptors
>
The usage of this method is: add @Token(save=true) to the controller that needs to generate tokens, and add @Token(remove=true) to the controller that needs to check for duplicate submissions.
In addition, you need to add the following code to the form in the view:
<input type="hidden" name="token" value="${token}" />