----- Original Message ----- From: "David Gagnon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 3:23 PM Subject: Re: Token in struts and session bean.... problem with the framework ?
> > > >It's up to your Action to call the token methods to > > >validate the token and > > >forward the user to an appropriate page. > > > > > > I know, maybe I wasn't clear enough .. sorry :-) > What I'm saying is that if you use a > session bean, the content is modified even though the > token is invalid.. I thinks this should not happen. > > I'm working on an intranet application and I'm using > session beans (Maybe I shouldn't). Right now if the > user does a double click. The first request passes > and the second request populates the bean while the > first request is been processed ... This is a little > race :-). > > I don't think Struts offers an easy way to avoid > this... maybe I'm wrong ... What you found is a valid concern. I wrote a detail description of the problem almost a year ago in the Struts Developer Mailing list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg07028.html If you follow the thread, you will find at that time frame, the Struts team was not clear to offer any easy way to avoid it in Struts 1.1. The suggested *fix* to the problem is to override the RequestProcessor. As mentioned in the thread, I did implemented a mechanism in Carrier Wheels algorithms. The source codes can be downloaded at www.netspread.com. If you look at the GuideRequestProcessor, you may find the way how we protect Struts developers in our product. The mechanism is very product oriented, so it is not very suitable to contribute to the Struts framework. But it offers the ideas of client transaction context. In future Carrier-Tips-On-Struts, I will detail out why it is a serious security problem in many cases and how we avoid it in the GuideRequestProcessor. Jing creator of Carrier > > Thanks > /David > > > > > > David > > --- David Gagnon <[EMAIL PROTECTED]> wrote: > > > Hi all, > > > > > > > > > If you have a session bean and you are using > > the > > > token framework to protect yourself again > > multiple > > > submit... > > > > > > > > > Let say a request with a bad token is post to the > > > server. The bean will be populated right ... > > even > > > if > > > the token is not valid. Is struts offers support > > > to > > > check if a request contains a valid token prior > > to > > > populate the bean. For what I know you the > > sooner > > > you > > > can play with token in struts is in the reset > > > method > > > of the bean (It may not be the best place to play > > > with > > > token anyway...). > > > > > > > > > Is a request with a bad or no token should be > > > redirect > > > by the framework to a handler. Like it's done > > with > > > the Exception in Struts? I think there should > > have > > > a > > > way to avoid changing the server state on bad > > > request > > > ... > > > > > > > > > My guest is that you already know about all that > > > :-) > > > ... or that there is something to prevent this > > that > > > I'm not aware of. > > > > > > > > > Thanks for your help > > > > > > > > > /Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > SBC Yahoo! DSL - Now only $29.95 per month! > > > http://sbc.yahoo.com > > > > > > > > > __________________________________ > > Do you Yahoo!? > > SBC Yahoo! DSL - Now only $29.95 per month! > > http://sbc.yahoo.com > > > > __________________________________ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
