本来在第四篇要说完的,但是写着写着,我觉得内容有点多起来了,所以就另开这篇,在这里专门讲述Token的定义,JSP自定义标签以及如何用Parameterized的来做单元测试。
1,新建包com.vanceinfo.javaserial.handlerinterceptors,新加类TokenHandler,这个类就是Token的Helper类了,包含三个方法:
generateGUID当进入页面加载时,产生一个GUID,分别存入Session和Constant里,说明一下,Constant是用于页面的hidden值保存用的。。。。,顺便打个预防针的是sesseion里面存的是map对象,使用的key叫SPRINGMVC.TOKEN,map里面的一条对象以"springMVC_token.GUID:GUID"形式保存。而客户端的hidden框的name使用的是小写的springMVC_token
getInputToken获取客户端hidden里面的guid值。
validToken这个方法用于验证客户端Hidden里的guid里值,与服务端Session里面对应的值是否一致,完全相同而返回true,否则返回false, 并且先会remove掉session里面的对应的这条token值。
源码如下:
package com.vanceinfo.javaserial.handlerinterceptors; import java.math.BigInteger; import java.util.HashMap; import java.util.Map; import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.springframework.ui.ModelMap; import com.vanceinfo.javaserial.constants.Constant; public class TokenHandler { private static Logger LOGGER = Logger.getLogger(TokenHandler.class); static Map<String, String> springmvc_token = new HashMap<String, String>(); /** * generate the unique token, and store into both server, client side. * * @param session * @return */ @SuppressWarnings("unchecked") public synchronized static String generateGUID(HttpSession session, ModelMap map) { String token = ""; try { Object obj = session.getAttribute("SPRINGMVC.TOKEN"); if (obj != null) { springmvc_token = (Map<String, String>) session.getAttribute("SPRINGMVC.TOKEN"); } token = new BigInteger(165, new Random()).toString(36).toUpperCase(); springmvc_token.put(Constant.DEFAULT_TOKEN_NAME + "." + token, token); session.setAttribute("SPRINGMVC.TOKEN", springmvc_token); Constant.TOKEN_VALUE = token; } catch (IllegalStateException e) { LOGGER.error("generateGUID() mothod find bug,by token session..."); } return token; } /** * validate the form token value and session token value. * * @param request * @return true if both token value are the same,otherwise false */ @SuppressWarnings("unchecked") public static boolean validToken(HttpServletRequest request) { String inputToken = getInputToken(request); if (inputToken == null) { LOGGER.warn("token is not valid!inputToken is NULL"); return false; } HttpSession session = request.getSession(); Map<String, String> tokenMap = (Map<String, String>) session.getAttribute("SPRINGMVC.TOKEN"); if (tokenMap == null || tokenMap.size() < 1) { LOGGER.warn("token is not valid!sessionToken is NULL"); return false; } String sessionToken = tokenMap.get(Constant.DEFAULT_TOKEN_NAME + "." + inputToken); if (!inputToken.equals(sessionToken)) { LOGGER.warn("token is not valid!inputToken='" + inputToken + "',sessionToken = '" + sessionToken + "'"); return false; } tokenMap.remove(Constant.DEFAULT_TOKEN_NAME + "." + inputToken); session.setAttribute("SPRINGMVC.TOKEN", tokenMap); return true; } /** * Get the token value from the form. assume it store in the hidden field * * @param request * @return */ @SuppressWarnings("unchecked") public static String getInputToken(HttpServletRequest request) { Map<String, String[]> params = request.getParameterMap(); if (!params.containsKey(Constant.DEFAULT_TOKEN_NAME)) { LOGGER.warn("Could not find token name in params."); return null; } String[] tokens = (String[]) (String[]) params.get(Constant.DEFAULT_TOKEN_NAME); if ((tokens == null) || (tokens.length < 1)) { LOGGER.warn("Got a null or empty token name."); return null; } return tokens[0]; } }