看到公司有個部門提出了這個問題,補個粗略的解決方案。。。
1.編寫攔截器
/** * Description: 防止重復提交 * * @Author liam * @Create Date: 2018/3/9 9:22 */ public class AvoidReSubmitIntercepter extends HandlerInterceptorAdapter { private static final String SPLIT_FLAG = "_"; private static final String AVOID_RE_SUBMIT_TOKEN_KEY = "identifier_token"; @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (checkAvoidReSubmitTokenOn(handler,AvoidReSubmitBehavior.Check)) { //驗證是否重復 if (checkIsRepeatSubmit(request)) { //重復提交 return false; } } return super.preHandle(request, response, handler); } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { if (checkAvoidReSubmitTokenOn(handler,AvoidReSubmitBehavior.Create)) { Random random = new Random(); String uuid = UUID.randomUUID().toString().replace(SPLIT_FLAG, String.valueOf(random.nextInt(100000))); String tokenValue = String.valueOf(System.currentTimeMillis()); String transferToken = uuid + SPLIT_FLAG + tokenValue; request.setAttribute(AVOID_RE_SUBMIT_TOKEN_KEY, transferToken); request.getSession(true).setAttribute(uuid, tokenValue); } super.postHandle(request, response, handler, modelAndView); } /** * Description: 是否開啟防重規則 * * @Author liam * @Create Date: 2018/3/9 10:33 */ private boolean checkAvoidReSubmitTokenOn(Object handler,AvoidReSubmitBehavior behavior) { HandlerMethod handlerMethod = (HandlerMethod) handler; Method invokeMethod = handlerMethod.getMethod(); AvoidReSubmitToken avoidReSubmitToken = invokeMethod.getAnnotation(AvoidReSubmitToken.class); if (avoidReSubmitToken != null && avoidReSubmitToken.behavior().equals(behavior)) { return true; } return false; } private boolean checkIsRepeatSubmit(HttpServletRequest request) { String clientToken = request.getParameter(AVOID_RE_SUBMIT_TOKEN_KEY); if (StringUtils.isEmpty(clientToken)) { clientToken = request.getParameter(AVOID_RE_SUBMIT_TOKEN_KEY); if (StringUtils.isEmpty(clientToken)) { return true; } } String[] clientTokensDetail = StringUtils.split(clientToken, SPLIT_FLAG); if (clientTokensDetail.length == 2) { String uuid = clientTokensDetail[0]; String token = clientTokensDetail[1];
//此處存在並發風險...闊以加鎖處理 String serverToken = (String) request.getSession(true).getAttribute(uuid); if (StringUtils.isNotEmpty(serverToken) && token.equals(serverToken)) { request.getSession(true).removeAttribute(uuid); return false; } } return true; } }
提供開啟規則的注解:
@Retention(RetentionPolicy.RUNTIME) @Target(ElementType.METHOD) public @interface AvoidReSubmitToken { AvoidReSubmitBehavior behavior(); }
定義兩種行為:
public enum AvoidReSubmitBehavior { Create, Check; }
攔截器的配置:
<!-- 攔截器配置 -->
<mvc:interceptors>
<!-- 配置Token攔截器,防止用戶重復提交數據 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="liam.AvoidReSubmitIntercepter"/>
</mvc:interceptor>
</mvc:interceptors>
Java代碼使用;
@AvoidReSubmitToken(behavior = AvoidReSubmitBehavior.Create) @RequestMapping("test") public String testPage() { return "form/page"; } @AvoidReSubmitToken(behavior = AvoidReSubmitBehavior.Check) @RequestMapping("potHandler") public String postHandler(){ return "ok"; }
頁面代碼:
<form id="" class="form-horizontal" action="${ctx}/postHandler" method="post"> ...... <input type="hidden" name="token" value="${identifier_token}"/> <!-- 注:name必須是identifier_token --> ...... </form>
其實該方案也可以驗證提交數據是否有效,當然通常是把token放到只讀的緩存了。。
偽代碼。。沒測試呢。。。