On Thu, 16 Aug 2001, Tim Fox wrote:
> That seems to make sense, so basically:
>
> 1. At top of the code of the web action I do something like the following:
>
> public final ActionForward perform(ActionMapping mapping,
> ActionForm form,
> HttpServletRequest request,
> HttpServletResponse response)
> throws IOException, ServletException
> {
> saveToken(request);
> if (!tokenIsValid(request))
> {
> //forward to error page saying "your transaction is already being
> processed"
> }
> else
> {
> //process action
> //forward to jsp
> }
> }
>
Don't forget to call resetToken() to clear it.
> 2. In my jsp so something like
>
> <form action="myaction.do" method="post">
> <input type="hidden"
> name="<%= Constants.TOKEN_KEY %>"
> value="<%= session.getAttribute(Action.TRANSACTION_TOKEN_KEY) %>" >
> ...
> other stuff...
> ...
> </form>
>
> Does that sound about right?
>
>
If you use <html:form> instead of creating your own, the JSP page stuff is
handled for you transparently. That way, your page developers don't have
to know anything about transaction tokens -- which is as it should be,
since that is totally a business logic concept.
Craig
> -----Original Message-----
> From: Kai Zaunick [mailto:[EMAIL PROTECTED]]
> Sent: 16 August 2001 08:55
> To: [EMAIL PROTECTED]
> Subject: AW: Examples of mutli-click prevention using struts tokens
>
>
> Hi Tim,
>
> I just installed struts a couple of days ago and have the same problems
> regarding docs on this topic.
> My "theory" of a token is the following (no warranty ;) :
> a. saveToken() generates a unique identifier (MD5 Hash) stored in the users
> session ("server-side") and on the jsp page the Action forwards to
> ("client-side")
> when using struts form or link tags. saveToken will create a session if
> there
> is none according to API docs.
> b. isValid() compares the users session token with the token given as a
> request parameter (either through hidden form field (form tag) or through
> additional
> parameter on a url (link tag))
> c. resetToken() removes token from the session.
>
>
> Imagine following scenario where you have a workflow/ transaction which goes
> over 2
> pages.
>
> Action1 -> Page1 -> Action2 -> Page2
> 1. saveToken isValid()?
> 2. doStuff doStuff
> 3. resetToken()
>
> + Entry point to the transaction is always Action1. Accessing Action2
> directly
> is not allowed (token not set)
> + Having more than one instance of Page1 open, isValid() in Action2 will
> assure that only
> the last one opened is executed.
>
> Looking at the stuff in Action2 makes me think, that you might want to put
> it into
> a synchronized block depending on how fast your doStuff executes.
>
> Hope this helped,
>
> Kai
>
>
> -----Ursprungliche Nachricht-----
> Von: Tim Fox [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 15. August 2001 16:41
> An: [EMAIL PROTECTED]
> Betreff: RE: Examples of mutli-click prevention using struts tokens
>
>
> Thanks for your reply.
> What I really meant when I said I don't have an html:form, is that I do have
> a
> <FORM> tag, just not a <html:form> tag, ie I'm not using the struts html
> taglib in my page (consequently I can't use the html:link tag either).
> Is there a method I can call to get the transaction token in a format that
> can be stuck in a query parameter? Then I can just do <a
> href="blah.go?something=<%=getToken()%>">click me</a> ???
>
> I'm still unsure of how to use saveToken(), resetToken(), and
> isTokenValid(), at what point in my web action do I place these calls (if
> any), and in what order?
>
>
>
>
>
>
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: 14 August 2001 17:05
> To: [EMAIL PROTECTED]
> Subject: Re: Examples of mutli-click prevention using struts tokens
>
>
> On Tue, 14 Aug 2001, Tim Fox wrote:
>
> > Anyone know of any examples of how to use the
> > saveToken(), resetToken(), and isTokenValid() methods - for prevention of
> > submission of forms multiple times.
> > I can't find anything in the docs.
> > Specifically I want to be able to use them in the situation where I
> *don't*
> > have a <html:form> in my page - is this possible?
> > thanx in advance
> >
>
> If you don't have a form, then what you are trying to prevent is following
> the same hyperlink twice, right? In that case, you can tell the
> <html:link> tag to include the transaction control token like this:
>
> <html:link href="/foo.do" transaction="true"/>
>
> This will cause the token to be included on the hyperlink as a query
> parameter, so that you can check it with isTokenValid() in your action
> associated with path "/foo", just as if it came in on a form. Once you've
> validated that, the action can forward to whatever page you actually want
> to display.
>
> Craig
>
>
>
>
