Java Web App安全性:向请求添加令牌 [英] Java web app security: adding tokens to requests

问题描述

我正在寻找一种方法或当前的API，该方法或当前的API可让您向Web应用程序请求添加令牌. 可能在会议中，但没有持续. 或者，如果您可以概述一种有效的方法来帮助我

I'm looking for a method or current API that allows you to add on tokens to web app requests. Maybe within the session but not persisted. Or if you could help me by outlining an efficient method for doing this

例如

1..GET request => Servlet生成令牌并将其打印在视图中

1. GET request => Servlet generates a token and prints it in the view

2.返回带有隐藏令牌的视图

2. returns a view with a hidden token

<input type="hidden" name="token" value="UA37jdjs9UDJS3">
<input type="submit" name="deleteEmail" value="Delete">

3..POST请求=>表单已提交，并检查令牌是否相同.

3. POST request => form is submitted and checks if the token is the same.

没什么要注意的，如果有Ajax请求，那么对于许多请求，还必须存在一些其他令牌.

Few things to note, If there are Ajax requests then some other tokens would have to be alive for a number of requests.

如果用户决定关闭浏览器，则会话期间令牌将不得不死亡 超时.

If the user decides to close the browser, the token would have to die when the session is timed-out.

如果用户未能填写表格，请去做网站上的其他事情， 这些令牌在不使用时必须删除.

If the user fails to complete the form, goes off to do something else on the site, those tokens would have to be deleted as they go unused.

但是实现这样的系统的最佳方法是什么，

But what is the best way of implementing a system like this,

Spring Security 3是否有我可以使用的系统?

Does Spring Security 3 have a system that i can use?

在Java，Grails，Spring MVC，Spring Security 3和Hibernate区域内

within the Java,Grails,Spring MVC, Spring Security 3 and Hibernate area

推荐答案

您是否查看了Grails文档中位于

Did you take a look at "Synchronizer Token Pattern" in the Grails documentation at http://grails.org/doc/1.2.0/guide/single.html ?

这篇关于Java Web App安全性:向请求添加令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！