1, Api Interface design idempotent, that is, to ensure that data is unique, does not allow duplicate.
For example: rpc remote call, because network latency, appeared in the case called twice.
Click on the continuous form, there have been repeated submission.
After exposure to the interface, the tool may be simulated request (Jemter the like) attack.
2, how to ensure the power of the interface and other design it?
Before use Token embodiment, each call to the interface Api (a form submission), api calls generated token, and the token to the client storage, which is also stored token Redis, Redis effective duration may be provided, for about 15-60 minutes
When the form is submitted, the request header which should carry token, the request header inside the token out and redis inside the token is compared, redis there are token, the form is submitted, at the same time, delete token, redis there is no, then the form is not submit.
3, call the index method when generating token, the client saved, click submit, before postIndex interface calls, token validation
,
4, install redis
5, based on redis redis write cache token
package com.aiyuesheng.util; import java.util.concurrent.TimeUnit; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.stereotype.Component; @Component public class BaseRedisService { @Autowired private StringRedisTemplate stringRedisTemplate; public void setString(String key, Object data, Long timeout) { if (data instanceof String) { String value = (String) data; stringRedisTemplate.opsForValue().set(key, value); } if (timeout != null) { stringRedisTemplate.expire(key, timeout, TimeUnit.SECONDS); } } public Object getString(String key) { return stringRedisTemplate.opsForValue().get(key); } public void delKey(String key) { stringRedisTemplate.delete(key); } }
package com.aiyuesheng.util; import java.util.UUID; import org.apache.commons.lang.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component public class RedisToken { @Autowired private BaseRedisService baseRedisService; private static final long TIMEOUT = (60 * 60 * 60); public String setToken() { String token = System.currentTimeMillis() + "" + UUID.randomUUID(); baseRedisService.setString(token, token, TIMEOUT); return token; } public String getToken(String tokenKey) { if(!StringUtils.isEmpty((String) baseRedisService.getString(tokenKey))){ return (String) baseRedisService.getString(tokenKey); } return ""; } }
6, each time the comparison. . . verification