Hi Tim,
I just installed struts a couple of days ago and have the same problems
regarding docs on this topic.
My "theory" of a token is the following (no warranty ;) :
a. saveToken() generates a unique identifier (MD5 Hash) stored in the users
session ("server-side") and on the jsp page the Action forwards to
("client-side")
when using struts form or link tags. saveToken will create a session if
there
is none according to API docs.
b. isValid() compares the users session token with the token given as a
request parameter (either through hidden form field (form tag) or through
additional
parameter on a url (link tag))
c. resetToken() removes token from the session.
Imagine following scenario where you have a workflow/ transaction which goes
over 2
pages.
Action1 -> Page1 -> Action2 -> Page2
1. saveToken isValid()?
2. doStuff doStuff
3. resetToken()
+ Entry point to the transaction is always Action1. Accessing Action2
directly
is not allowed (token not set)
+ Having more than one instance of Page1 open, isValid() in Action2 will
assure that only
the last one opened is executed.
Looking at the stuff in Action2 makes me think, that you might want to put
it into
a synchronized block depending on how fast your doStuff executes.
Hope this helped,
Kai
-----Ursprungliche Nachricht-----
Von: Tim Fox [mailto:[EMAIL PROTECTED]]
Gesendet: Mittwoch, 15. August 2001 16:41
An: [EMAIL PROTECTED]
Betreff: RE: Examples of mutli-click prevention using struts tokens
Thanks for your reply.
What I really meant when I said I don't have an html:form, is that I do have
a
<FORM> tag, just not a <html:form> tag, ie I'm not using the struts html
taglib in my page (consequently I can't use the html:link tag either).
Is there a method I can call to get the transaction token in a format that
can be stuck in a query parameter? Then I can just do <a
href="blah.go?something=<%=getToken()%>">click me</a> ???
I'm still unsure of how to use saveToken(), resetToken(), and
isTokenValid(), at what point in my web action do I place these calls (if
any), and in what order?
-----Original Message-----
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: 14 August 2001 17:05
To: [EMAIL PROTECTED]
Subject: Re: Examples of mutli-click prevention using struts tokens
On Tue, 14 Aug 2001, Tim Fox wrote:
> Anyone know of any examples of how to use the
> saveToken(), resetToken(), and isTokenValid() methods - for prevention of
> submission of forms multiple times.
> I can't find anything in the docs.
> Specifically I want to be able to use them in the situation where I
*don't*
> have a <html:form> in my page - is this possible?
> thanx in advance
>
If you don't have a form, then what you are trying to prevent is following
the same hyperlink twice, right? In that case, you can tell the
<html:link> tag to include the transaction control token like this:
<html:link href="/foo.do" transaction="true"/>
This will cause the token to be included on the hyperlink as a query
parameter, so that you can check it with isTokenValid() in your action
associated with path "/foo", just as if it came in on a form. Once you've
validated that, the action can forward to whatever page you actually want
to display.
Craig
