Struts2 Token Internal principle

Side dishes recently contacted the struts2 in the knowledge of the token, because the knowledge point is more important, so want to understand some, so the confidence of the Internet access to data, the result is very helpless, the data on the web, summed up a sentence: "When the page, the page generated a token ID, At the same time, the server in the session to save the same ID, when submitted to determine if the same how different how ... ”

It may be a piece of cake, but it is impossible to appreciate the essence of the token from such a refined description.

Superficial so say, then come up is a bunch of code, sometimes the help of beginners may not be very big, if you can introduce the principle, will undoubtedly speed up the reader learning speed.

After painstaking research, the following side dishes to introduce how the token is to prevent the interface refresh.

This article does not cover the specific use of tokens, only the principle.

The first thing to note is that the use of tokens in the STRUTS2 framework is basically two steps:

L Use the <s:token></s:token> tag in the JSP page, can be placed anywhere in the form, the role of this tag is to generate a token ID in the page, can be seen in the form of "View Source file". Why do you put it in a form? Because this is to be submitted to the server, otherwise the server how to know your ID is how much?

• Add parameters to the token interceptor in the STRUTS2 core configuration file to indicate which methods need to be intercepted, for example: <interceptor-ref name= "token" ><param name= "Includemethods" >save</param></interceptor-ref>, indicating the block save method. Of course, you can also use Excludemethods to declare which methods are not intercepted.

Token generation schematic diagram:

It can be seen that if a JSP page has a token tag, then whether it is requested this interface or internal forwarding to this interface, we are uniformly said to be " rendering interface " when the token ID will cause the generation or update.

Be sure to make sure that this is the JSP page of the request, at which point the token can be generated, but the token will not work because it intercepts the method called by the reflection mechanism instead of the JSP.

Token interception schematic:

As you can see, the token can intercept the method in the action.

If the method needs to be intercepted, it will determine if the token ID in the session is equal to the token ID submitted. If not equal, then jump directly to the preconfigured interface, the token ID of the session is not changed, if it is equal, the method of executing the request, the key Point is that the token ID in session will be emptied! This step is critical!

In summary, the use of tokens, remember the following points, basic can deal with a variety of complex token application scenarios

Note the timing of the token, which is generated when loading (or rendering) a JSP page with token tags, regardless of the request or forwarding, regardless of whether the method was intercepted.

Because the server-side token ID is saved in the session, so the different pages can be shared, the use of attention, to avoid confusion.

L If the method of access is an intercepted method, the token ID in the session is emptied after the validation is passed, and if the validation does not pass, the token ID in the session is not changed until the next time the JSP page with the token tag is loaded (or rendered).

To be more verbose, why should the token ID of the session be emptied after verification? In fact, it is not difficult to understand, from the macro thinking, repeated submission has an inevitable feature: its token ID is the previous. Therefore, the most straightforward way to clear is to ensure that the token ID changes that are saved in the post session are verified. To validate, there is only one way: reload (or render) a JSP page with token tags, which matches the token ID of the client with the token ID on the server side.

Side dishes always hope that their articles can help more people, so write a bit wordy, we forgive!

Struts2 Token Internal principle