Ajax access-improving security

Inspired by struts token, the idea of Ajax requests initiated by the client for verification is that the client generates a key for each request, then the server receives the key, and then parses it, determine whether the key is a valid key. If the key is not involved or the verification fails, it is intercepted directly to reduce the pressure on the server.

First, I am using the struts2 Interceptor. (PS: I don't know how to tell you)

Inherit abstractinterceptor to implement Init () and intercept (), and understand the initialization and interception of these two methods literally.

The first method is to read the configuration information from the configuration file.

The second method is mainly divided into two parts to verify the key. Here I am divided into Ajax access and common methods to view the code.

Public String intercept (actioninvocation Invocation) throws exception {string rs = NULL; If (istokeninterceptor) {Boolean flag = false; string MSG = "{_ success: false, _ operationmsg: 'Abnormal access, illegal client! '} "; Actioncontext AC = invocation. getinvocationcontext (); httpservletrequest request = (httpservletrequest) AC. get ("com. opensymphony. xwork2.dispatcher. httpservletrequest "); If (publicutil. isnotempty (freeurl) {string urlvalue [] = freeurl. split (","); If (publicutil. isnotempty (urlvalue) {string as []; Int J = (as = urlvalue ). length; For (INT I = 0; I <j; I ++) {string url = as [I]; If (request. get Requesturi (). indexof (URL )! =-1) {flag = true; break ;}}} if (! Flag) {httpsession session = request. getsession (); string requesttoken; httpservletresponse response; try {response = (httpservletresponse) AC. get ("com. opensymphony. xwork2.dispatcher. httpservletresponse "); string requesttype = request. getheader ("X-requested-with"); If ("XMLHttpRequest ". equals (requesttype) {// verify whether the request is an Ajax request requesttoken = request. getheader (token_name); If (publicutil. isnotempty (reques Ttoken) & requesttoken. indexof ("| ")! =-1) {string token = (string) Session. getattribute (session_token); If (! Requesttoken. equals (token) {flag = true;} else {logger. warn (publicutil. toappendstr ("the client form does not validate repeatedly: the client submits requesttoken multiple times:", requesttoken); MSG = "{_ success: false, _ operationmsg: 'sorry, network exception, please submit again! '} ";} Session. setattribute (session_token, requesttoken) ;}} else {// common requests verify requesttoken = cookieutil by reading cookies. getcookie (request, token_name); If (publicutil. isempty (requesttoken) {requesttoken = desutil. getrequestkey ();} If (publicutil. match ("^ [0-9] {8} $", desutil. strdec (requesttoken) {string token = (string) session. getattribute (cookie_token); If (publicutil. isempty (token) {token = requestto Ken;} If (requesttoken. equals (token) {flag = true;} else {logger. warn (publicutil. toappendstr ("anti-repeated verification of client forms takes effect: the client submits requesttoken multiple times:", requesttoken, "url:", request. getrequesturi (); MSG = "{_ success: false, _ operationmsg: 'sorry, network exception. Please submit it again! '} ";}} String nexttoken = desutil. getrequestkey (); cookieutil. setcookie (response, token_name, nexttoken); Session. setattribute (cookie_token, nexttoken); flag = true ;}} catch (illegalstateexception e) {flag = false; MSG = publicutil. toappendstr ("{_ success: false, _ operationmsg: 'error creating httpsession due response is commited to client. you can use the createsessioninterceptor or create the httpsession from your action before the result is rendered to the client: ", E. getmessage (), "'}"); E. printstacktrace () ;}}if (FLAG) {rs = invocation. invoke ();} else {httpservletresponse response = (httpservletresponse) AC. get ("com. opensymphony. xwork2.dispatcher. httpservletresponse "); response. setcharacterencoding ("UTF-8"); response. getwriter (). write (MSG) ;}} else {rs = invocation. invoke ();} Return Rs ;}

At the front-end, for Ajax submission, I use the header to carry the verification key for transmission. Because jquery is used in the project, I simply overwrite the $. Ajax method.

VaR token_name = "albedo-requst-token"; (function ($) {// back up jquery's Ajax method VaR _ Ajax =$. ajax; // rewrite jquery's Ajax method $. ajax = function (OPT) {// back up the error and success methods in OPT var fn = {error: function (XMLHttpRequest, textstatus, errorthrown) {}, success: function (data, textstatus) {}} if (OPT. error) {fn. error = OPT. error;} If (OPT. success) {fn. success = OPT. success;} // VaR _ opt = $. extend (OPT, {beforesend: function (req Uest) {request. setRequestHeader ("albedo-requst-token", getrequestkey () + "|" + OPT. URL); // generate a unique key with different time points. Pay special attention to different time points. If the time is the same, it can be the same}, error: function (XMLHttpRequest, textstatus, errorthrown) {// enhance the FN for handling error methods. error (XMLHttpRequest, textstatus, errorthrown);}, success: function (data, textstatus) {// successful callback method enhanced processing if (typeof DATA = "string ") {// If {eval ("Var rs =" + data); If (RS & RS. _ success = False & Rs. _ operationmsg) {If (! G_showtip) Alert (RS. _ operationmsg); else setTimeout (function () {g_showtip (RS. _ operationmsg) ;}, 500) ;}} catch (e) {}} fn. success (data, textstatus) ;}}); _ Ajax (_ opt) ;}}) (jquery );

Of course, if this is not used, do not kneel, at least there is? Passing parameters later can also be done ^ _ ^,

This is done. If a page initiates several consecutive requests to an address, then only the first request succeeds and all subsequent requests are intercepted.

PS: personal opinions. If you have any shortcomings, you can refer to them for reference.