Re: Transaction Token

[manglu]

Joshua,

If the token is invalid you tell the User that they might have attempted 
 multiple submissions etc via an error page

Manglu



Joshua White wrote:
And if the token is not valide, do you redirect them to an error page?
 
 

manglu <[EMAIL PROTECTED]> wrote:
The Trans token is fairly SImple
Before a form is sent to the User in your action class make a 
saveToken(request) call. When the form is displayed on the client side 
there is a token attached which is sent along with the form on a submit 
by the Client

When a call is received the token (sent by the Client) is compared with 
it's contents in Session

via the isValidToken() which return true if there is a match else it 
returns false.

In summary

before sending form to user issue saveToken(request)

and before processing issue a isValidToken() to see if the token is valid

HTH

Manglu



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Transaction Token

[Joshua White]

And if the token is not valide, do you redirect them to an error page?
 
 


manglu <[EMAIL PROTECTED]> wrote:
The Trans token is fairly SImple


Before a form is sent to the User in your action class make a 
saveToken(request) call. When the form is displayed on the client side 
there is a token attached which is sent along with the form on a submit 
by the Client

When a call is received the token (sent by the Client) is compared with 
it's contents in Session

via the isValidToken() which return true if there is a match else it 
returns false.

In summary

before sending form to user issue saveToken(request)

and before processing issue a isValidToken() to see if the token is valid

HTH

Manglu



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Transaction Token

[manglu]

The Trans token is fairly SImple

Before a form is sent to the User in your action class make a 
saveToken(request) call. When the form is displayed on the client side 
there is a token attached which is sent along with the form on a submit 
by the Client

When  a call is received the token (sent by the Client) is compared with 
  it's contents in Session

via the isValidToken() which return true if there is a match else it 
returns false.

In summary

before sending form to user issue saveToken(request)

and before processing issue a isValidToken() to see if the token is valid

HTH

Manglu



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Transaction Token

[Rob Leland]

Joshua White wrote:

I have heard the session token mentioned a few times.  Does anyone have any examples on when/how to use it?

Regards,

Joshua

 

Look in the struts 'example' program. I am sure it uses it.

--
-
Rob Leland (703-525-3580)
Choose a job you love, and you will never have to work a day of your life.
 
-Confucius.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Transaction Token

[Dan Tran]

Do a search on archive and look for transaction token.
The struts-example in the distribution also uses transaction token as well

-D
- Original Message - 
From: "Joshua White" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 29, 2003 5:12 PM
Subject: Transaction Token


> I have heard the session token mentioned a few times.  Does anyone have
any examples on when/how to use it?
>
> Regards,
>
> Joshua
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Transaction Token

[Joshua White]

I have heard the session token mentioned a few times.  Does anyone have any examples 
on when/how to use it?
 
Regards,
 
Joshua

RE: SUGGESTION: Transaction token creation control in struts-config.xml (LONG)

[Edgar Dollin]

There is a session token which you can use for enforcing transaction
integrity built into struts already.  It is also a piece of cake to custom
code your own if you want finer grained control.

Edgar

> -Original Message-
> From: Igor Shabalov [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 28, 2003 6:42 PM
> To: 'Struts Users Mailing List'
> Subject: Re: SUGGESTION: Transaction token creation control 
> in struts-config.xml (LONG)
> 
> 
> 
>   Good use case! I put it into attachment...
> 
>   Best,
>   Igor.
> 
> 
> On Fri, 28 Mar 2003 16:53:15 -0600, Steve Stair 
> <[EMAIL PROTECTED]> wrote:
> 
> > I've got a use case to edit an existing user.
> > I've extended the ForwardAction class to make one that 
> forwards after 
> > creating a transaction token.
> >
> > When the user clicks on a link to edit a user's data, they 
> are first 
> > sent to an action that only loads the user data into the 
> form.  This 
> > action can be re-used by a View User use case,
> > without any modification, because it doesn't create a transaction
> > token.
> > On success, that action forwards to the JSP page/tile via an action
> > that creates a transaction token.
> >
> > When the user clicks save, the update action persists the data, and 
> > forwards to JSP again via the action that creates a 
> transaction token.
> >
> > I've seen it said here that you shouldn't chain actions, 
> but it seems 
> > more clear to me this way. By doing it this way, I don't have to 
> > create tokens in my code. The update action should not have to know 
> > that the place it is being forwarded to will need
> > a transaction token.  Isn't the point of defining forwards for an
> > action that the java code
> > doesn't care where it is going to next?
> >
> > 
> > 
> >  > path="/editUserAction"
> > name="UserForm"
> > type="com.whatever.LoadUserAction"
> > validate="false"
> > scope="request">
> > 
> > 
> > 
> >
> > 
> >  > path="/editUser"
> > type="com.whatever.TransactionForwardAction"
> > parameter="app.EditUser"/>
> >
> > 
> >  > path="/updateUserAction"
> > name="UserForm"
> > type="com.whatever.UpdateUserAction"
> > validate="true"
> > input="app.EditUser"
> > scope="request">
> > 
> > 
> > 
> > 
> >
> > 
> >
> >
> > In any case, in doing this, it seems to me that it would 
> make sense if 
> > you could make an action create a transaction token by some 
> entry in 
> > the struts-config.
> >
> >
> >
> > --
> > Steve Stair
> > [EMAIL PROTECTED]
> >
> >
> > 
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> 
> 
> 
> -- 
> Igor Shabalov
> Director of Engineering
> Exadel Inc.
> http://www.exadel.com
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Fwd: Re: SUGGESTION: Transaction token creation control in struts-config.xml (LONG)

[Igor Shabalov]

Mailing list eats the attachments, sorry...
I just like this picture :-)
--- Forwarded message ---
From: Igor Shabalov <[EMAIL PROTECTED]>
To: Struts Users Mailing List <[EMAIL PROTECTED]>
Subject: Re: SUGGESTION: Transaction token creation control in struts- 
config.xml (LONG)
Date: Fri, 28 Mar 2003 15:42:23 -0800

	Good use case! I put it into attachment...

Best,
Igor.
On Fri, 28 Mar 2003 16:53:15 -0600, Steve Stair 
<[EMAIL PROTECTED]> wrote:

I've got a use case to edit an existing user.
I've extended the ForwardAction class to make one that forwards after
creating a transaction token.
When the user clicks on a link to edit a user's data, they are first
sent to an action that only
loads the user data into the form.  This action can be re-used by a
View User use case,
without any modification, because it doesn't create a transaction
token.
On success, that action forwards to the JSP page/tile via an action
that creates a transaction token.
When the user clicks save, the update action persists the data, and
forwards to JSP again
via the action that creates a transaction token.
I've seen it said here that you shouldn't chain actions, but it seems
more clear to me this way.
By doing it this way, I don't have to create tokens in my code.
The update action should not have to know that the place it is being
forwarded to will need
a transaction token.  Isn't the point of defining forwards for an
action that the java code
doesn't care where it is going to next?
















In any case, in doing this, it seems to me that it would make sense if
you could
make an action create a transaction token by some entry in the
struts-config.


--
Steve Stair
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--
Igor Shabalov
Director of Engineering
Exadel Inc.
http://www.exadel.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SUGGESTION: Transaction token creation control in struts-config.xml (LONG)

[Igor Shabalov]

	Good use case! I put it into attachment...

Best,
Igor.
On Fri, 28 Mar 2003 16:53:15 -0600, Steve Stair 
<[EMAIL PROTECTED]> wrote:

I've got a use case to edit an existing user.
I've extended the ForwardAction class to make one that forwards after
creating a transaction token.
When the user clicks on a link to edit a user's data, they are first
sent to an action that only
loads the user data into the form.  This action can be re-used by a
View User use case,
without any modification, because it doesn't create a transaction
token.
On success, that action forwards to the JSP page/tile via an action
that creates a transaction token.
When the user clicks save, the update action persists the data, and
forwards to JSP again
via the action that creates a transaction token.
I've seen it said here that you shouldn't chain actions, but it seems
more clear to me this way.
By doing it this way, I don't have to create tokens in my code.
The update action should not have to know that the place it is being
forwarded to will need
a transaction token.  Isn't the point of defining forwards for an
action that the java code
doesn't care where it is going to next?
















In any case, in doing this, it seems to me that it would make sense if
you could
make an action create a transaction token by some entry in the
struts-config.


--
Steve Stair
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Igor Shabalov
Director of Engineering
Exadel Inc.
http://www.exadel.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SUGGESTION: Transaction token creation control instruts-config.xml (LONG)

[Steve Stair]

I've got a use case to edit an existing user.
I've extended the ForwardAction class to make one that forwards after
creating a transaction token.

When the user clicks on a link to edit a user's data, they are first
sent to an action that only
loads the user data into the form.  This action can be re-used by a
View User use case,
without any modification, because it doesn't create a transaction
token.
On success, that action forwards to the JSP page/tile via an action
that creates a transaction token.

When the user clicks save, the update action persists the data, and
forwards to JSP again
via the action that creates a transaction token.

I've seen it said here that you shouldn't chain actions, but it seems
more clear to me this way.
By doing it this way, I don't have to create tokens in my code.
The update action should not have to know that the place it is being
forwarded to will need
a transaction token.  Isn't the point of defining forwards for an
action that the java code
doesn't care where it is going to next?








   












In any case, in doing this, it seems to me that it would make sense if
you could
make an action create a transaction token by some entry in the
struts-config.



--
Steve Stair
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Fwd: Transaction Token & long running process ...]

[Ted Husted]

 Original Message 
Subject: Transaction Token & long running process ...
Date: Thu, 20 Feb 2003 08:45:44 +0100
From: "Hossfeld, Frank" <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>

Hi Ted,

I read the answer you wrote Greg Hess. And because I can't answer in the
list - don't know why - I reply directly. I hope this works.

We are searching for a solution of the same problem. We are using Struts 
and decided to use the Transaction Token  to solve this problem.

This works fine, except of one situation.
Here is the text, I wanted to send to the list yesterday:

> Hi,
> we use the Struts Token solution to resolve the race-condition (which
> results e.g. by double-click).
> Now  we have a problem with the sendRedirect(), because a
> sendRedirect() does not send the token in the URL.
> So the next token check failes.
>
> Is there any method or solution to send the token within the URL?
>
> We discovered this problem in the following situation:
>
> Every request in our application does the token-check. So, when we
> change from one action to another by forward-mapping, which is defined
> with 'redirect="true"' in the struts-config, the change > failes,
> because the second request, redirected from the browser, does not
> contain the token.
>
> Regards Frank


Perhaps you can tell me, if we make a mistake or if it is a problem in
Struts.

For long-processing transactions, there are two possible solutions, we
think:

First, the first request writes his message into the session. The second
request, which has to wait until the first gets his SocketException ... 
:-), reads the message out of the session and presents it, with the 
response of the second request. This will not always work, because when 
the second request has another host, the session is not available and 
the message not reachable. So, the behavior of the application is not 
always the same.

Second, you can send a "in progress"-page after receiving the first 
request, after you started the long running process. This page will send 
every second a request from the brwoser to the server, where the server 
is able to check if the long running process has finished. When the long 
running process has finished, you can send back the response containing 
the messages of the long running process. In this case, you also have 
the problem, that the User can close the browser, push the cancel-button 
or change the URL.

In my opinion, the Transaction Token solution is the best one, to solve 
this problem.

Regards Frank

--
Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene 
Information nicht rechtsverbindlich. Eine rechtsverbindliche 
Bestaetigung reichen wir Ihnen gerne auf Anforderung in schriftlicher 
Form nach. Beachten Sie bitte, dass jede Form der unautorisierten 
Nutzung, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des 
Inhalts dieser E-Mail nicht gestattet ist.Diese Nachricht  ist 
ausschliesslich fuer den bezeichneten Adressaten oder dessen Vertreter 
bestimmt. Sollten Sie nicht der vorgesehene Adressat dieser E-Mail oder 
dessen Vertreter sein, so bitten wir Sie, sich mit dem Absender der 
E-Mail in Verbindung zu setzen.

For legal and security reasons the information provided in this e-mail 
is not legally binding. Upon request we would be pleased to provide you 
with a legally binding confirmation in written form. Any form of 
unauthorised use, publication, reproduction, copying or disclosure of 
the content of this e-mail is not permitted. This message is exclusively 
for the person addressed or their representative. If you are not the 
intended recipient of this message and its contents, please notify the 
sender immediately.

==


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Transaction token documentation

[Parimi Srinivas]

a. Is there any documentation or write up avl on how transaction tokens are
programmed ?.
b. What is the use of generateToken method in Action class ?. 

Thanks,


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Transaction Token check required before form populate

[Duncan Harris]

[EMAIL PROTECTED] (Ted Husted) wrote:

> If someone submitted a patch to bugzilla that allowed the generation of
> the token to be switched off on a form by form basis, I'm sure it would
> be considered. 

If I did this, it seems like a good default might be to remove the
transaction token for GET forms. Although this is not backwards
compatible, it probably wouldn't break much at all.


Duncan Harris
~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: Transaction Token check required before form populate

[Ted Husted]

The autopopulation takes place before the ActionForm gets control, so
that's really not an option. 

The request is passed to validate, and so you could put a token checker
there. 

That does make a certain amount of sense, since it is after all a kind
of validation error. 

But, returning people to input is usually not a solution, since you
usually have to take them someplace where they can recover from the
double-submit faux pas, and move a head. So the Action has to step in
and reroute the request.

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/


Duncan Harris wrote:
> 
> [EMAIL PROTECTED] (Ted Husted) wrote:
> 
> > The usual workflow is to visit an Action before displaying the page.
> > This gives you the opportunity to any number of things, including
> > setting up the tokens.
> 
> There is no problem setting up the token for a response.
> The problem is that as the request comes in I want to validate the token
> *before* Struts attempts to populate the form bean.
> 
> Duncan Harris
> ~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Transaction Token check required before form populate

[Duncan Harris]

[EMAIL PROTECTED] (Keith) wrote:

> Isn't it easy enough to test which form you came from to decide whether to call
> isTokenValid()?

Not a problem in this respect. The problem is the URL for a GET (see below).


> > However the URL is no longer very clean.

> I don't get what you mean.

It contains something like:

org.apache.struts.taglib.html.TOKEN=32ea43086bf2732216d4eb96bf22d44

which prevents possible caching of the GET request for example.


Duncan Harris
~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Transaction Token check required before form populate

[Duncan Harris]

[EMAIL PROTECTED] (Ted Husted) wrote:

> The usual workflow is to visit an Action before displaying the page.
> This gives you the opportunity to any number of things, including
> setting up the tokens. 

There is no problem setting up the token for a response.
The problem is that as the request comes in I want to validate the token
*before* Struts attempts to populate the form bean.


Duncan Harris
~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Transaction Token check required before form populate

[Galbreath, Mark]

If you simply need to prevent resubmits, set a token as a session variable,
check its value on any submit, and change its value on the first submit.

Cheers!
Mark

--
Try before you cry:
http://www.mail-archive.com/struts-user%40jakarta.apache.org/

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 9:20 AM

Problem here is that I have indexed properties and the valid index range
may be different at different times. When all is well, the form bean and
the HTML form correspond, but if the user goes back and re-submits then
they may not and I can get out of range exceptions.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Transaction Token check required before form populate

[Keith]

Hi Duncan,
Isn't it easy enough to test which form you came from to decide whether to call
isTokenValid()?
> However the URL is no longer very clean.
I don't get what you mean.
Keith.


--- Duncan Harris <[EMAIL PROTECTED]> wrote:
> 
> The other thing that seems to be an annoyance is that the
> org.apache.struts.taglib.html.TOKEN parameter gets added for
> all forms on the page if it is set. I don't want this to happen.
> There appears to be no way to easily avoid this without overriding
> and replicating the whole of the FormTag.doStartTag() method.
> 
> Example when I don't want this is I have a main form which is POSTed,
> but an auxiliary navigational form (e.g. drop-down list and Go button)
> which is a GET with a clean URL. However the URL is no longer very clean.
> 
> 
> Duncan Harris
> ~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> 
> 
> [EMAIL PROTECTED] (Duncan Harris) wrote:
> 
> > I need my transaction token checking before my form is
> > populated.
> > 
> > Problem here is that I have indexed properties and the valid index range
> > may be different at different times. When all is well, the form bean and
> > the HTML form correspond, but if the user goes back and re-submits then
> > they may not and I can get out of range exceptions.
> > 
> > I thought I could use the transaction token to guard against this, but
> > of course it needs doing before the action perform() method is called.
> > 
> > I already have a servlet derived from ActionServlet so I thought I could
> > do it here, but of course the token checking functions are not available
> > from here because they are protected.
> > 
> > So it seems I have to copy the token checking code.
> > 
> > Is there a clean way to solve this?
> > 
> > Or maybe STRUTS needs fixing? Should the token checking functions be 
> > static and public?
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 


__
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: Transaction Token check required before form populate

[Ted Husted]

One solution would be to write the GET form youself, using bean:write to
populate the the HTML controls. 

If someone submitted a patch to bugzilla that allowed the generation of
the token to be switched off on a form by form basis, I'm sure it would
be considered. 

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/



Duncan Harris wrote:
> 
> The other thing that seems to be an annoyance is that the
> org.apache.struts.taglib.html.TOKEN parameter gets added for
> all forms on the page if it is set. I don't want this to happen.
> There appears to be no way to easily avoid this without overriding
> and replicating the whole of the FormTag.doStartTag() method.
> 
> Example when I don't want this is I have a main form which is POSTed,
> but an auxiliary navigational form (e.g. drop-down list and Go button)
> which is a GET with a clean URL. However the URL is no longer very clean.
> 
> Duncan Harris
> ~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> [EMAIL PROTECTED] (Duncan Harris) wrote:
> 
> > I need my transaction token checking before my form is
> > populated.
> >
> > Problem here is that I have indexed properties and the valid index range
> > may be different at different times. When all is well, the form bean and
> > the HTML form correspond, but if the user goes back and re-submits then
> > they may not and I can get out of range exceptions.
> >
> > I thought I could use the transaction token to guard against this, but
> > of course it needs doing before the action perform() method is called.
> >
> > I already have a servlet derived from ActionServlet so I thought I could
> > do it here, but of course the token checking functions are not available
> > from here because they are protected.
> >
> > So it seems I have to copy the token checking code.
> >
> > Is there a clean way to solve this?
> >
> > Or maybe STRUTS needs fixing? Should the token checking functions be
> > static and public?
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: Transaction Token check required before form populate

[Ted Husted]

The usual workflow is to visit an Action before displaying the page.
This gives you the opportunity to any number of things, including
setting up the tokens. 

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/


Duncan Harris wrote:
> 
> I need my transaction token checking before my form is
> populated.
> 
> Problem here is that I have indexed properties and the valid index range
> may be different at different times. When all is well, the form bean and
> the HTML form correspond, but if the user goes back and re-submits then
> they may not and I can get out of range exceptions.
> 
> I thought I could use the transaction token to guard against this, but
> of course it needs doing before the action perform() method is called.
> 
> I already have a servlet derived from ActionServlet so I thought I could
> do it here, but of course the token checking functions are not available
> from here because they are protected.
> 
> So it seems I have to copy the token checking code.
> 
> Is there a clean way to solve this?
> 
> Or maybe STRUTS needs fixing? Should the token checking functions be
> static and public?
> 
> Duncan Harris
> ~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: Transaction Token check required before form populate

[Duncan Harris]

The other thing that seems to be an annoyance is that the
org.apache.struts.taglib.html.TOKEN parameter gets added for
all forms on the page if it is set. I don't want this to happen.
There appears to be no way to easily avoid this without overriding
and replicating the whole of the FormTag.doStartTag() method.

Example when I don't want this is I have a main form which is POSTed,
but an auxiliary navigational form (e.g. drop-down list and Go button)
which is a GET with a clean URL. However the URL is no longer very clean.


Duncan Harris
~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.



[EMAIL PROTECTED] (Duncan Harris) wrote:

> I need my transaction token checking before my form is
> populated.
> 
> Problem here is that I have indexed properties and the valid index range
> may be different at different times. When all is well, the form bean and
> the HTML form correspond, but if the user goes back and re-submits then
> they may not and I can get out of range exceptions.
> 
> I thought I could use the transaction token to guard against this, but
> of course it needs doing before the action perform() method is called.
> 
> I already have a servlet derived from ActionServlet so I thought I could
> do it here, but of course the token checking functions are not available
> from here because they are protected.
> 
> So it seems I have to copy the token checking code.
> 
> Is there a clean way to solve this?
> 
> Or maybe STRUTS needs fixing? Should the token checking functions be 
> static and public?

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Transaction Token check required before form populate

[Duncan Harris]

I need my transaction token checking before my form is
populated.

Problem here is that I have indexed properties and the valid index range
may be different at different times. When all is well, the form bean and
the HTML form correspond, but if the user goes back and re-submits then
they may not and I can get out of range exceptions.

I thought I could use the transaction token to guard against this, but
of course it needs doing before the action perform() method is called.

I already have a servlet derived from ActionServlet so I thought I could
do it here, but of course the token checking functions are not available
from here because they are protected.

So it seems I have to copy the token checking code.

Is there a clean way to solve this?

Or maybe STRUTS needs fixing? Should the token checking functions be 
static and public?

Duncan Harris
~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Transaction Token verified in Controller?

[Jeff_Mychasiw]

Has Anyone implemented a Token Check in the the ActionServlet and not in each
action.

The reason would be to prevent the unwanted back button for EVERY action.

We may put this type of check into an exiting app that we have.  The plan is to
move this app to Struts and but we are forced to implement a token scheme now
(without Struts) and I would like to use an approach that will make the move to
Struts as painless as possible in the future.

I would be interested in any thoughts.

Thanks



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[SOLVED] Re: Transaction Token: How can a html:form submit a forward

[Peter Pilgrim]

A night's decent sleep and I realize what the solution is.  Find the action forward but
dont save the name of the forward into the request scope. Save
the forward's path instead!

if ( !isTokenValid() )  {
 // transaction error
 saveErrors( ... )
 ActionForward fwd = mappings.findForward("transaction-invalid");
 request.setAttribute( "com.db.project.AFTER_TRANSACTION_INVALID", fwd.getPath() );

 return mapping.findForward( "invalid-form-input" );
}

The forward path, of course, is a reference to the next action

  

Now everything makes sense. I simply use a bog standard HTML Form tag
and a bit of java script to submit the form.




   " >
 Please continue to the restart page
  
   


So after a transaction token error I give the user the option to move FORWARD
as well back. Going backwards usually results in the same attempt to
insert the row in to the database again [double-insertion] which
is what transaction tokens are designed to protect. So the user ends
up getting very __frustrated__ after going round and around in circles.
Not good for any professional web application!

http://www.xenonsoft.demon.co.uk/axioms2.html

--
Peter Pilgrim ++44 (0)207-545-9923
  //_\\
"Mathematics is essentially the study of islands of  ===
disparate subjects in a sea of ignorance."   || ! ||
Andrew Wiles _


 Message History 



From: Peter Pilgrim/DMGIT/DMG UK/DeuBa@DMG UK on 20/12/2001 16:37

Please respond to "Struts Users Mailing List" <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:
Subject:  Transaction Token: How can a html:form submit a forward



When you transaction token invalid you normally forward
to nice smiling double transaction screen and print a nice error message.

You want to prevent or suggest that user not hit the [BACK] button in the
browser.

I would like to put a simple button "Continue" that forwards to the "promptForm"
page.

if ( !isTokenValid() )  {
 // transaction error
 saveErrors( ... )
 ActionForward fwd = mappings.findForward("transaction-invalid");
 request.setAttribute( "com.db.project.AFTER_TRANSACTION_INVALID", fwd );

 return mapping.findForward( "invalid-form-input" );
}

Do you see what I am doing here? I am finding a forward "transaction-invalid"
to allow the user to go FORWARD rather than BACKWARDS.
In each ActionMapping I can declare a "transaction-invalid" that redirect to
the same action and forward to the "promptForm" screen.


  
  
  


So I would like to write in "invalid-form-input.jsp" something like this




   " >
 Please continue to the restart page
  
   


I know  does not support a forward tag attributes. Any Suggestion?

--
Peter Pilgrim ++44 (0)207-545-9923
  //_\\
"Mathematics is essentially the study of islands of  ===
disparate subjects in a sea of ignorance."   || ! ||
Andrew Wiles __/\/\__||_!_||__



--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>






--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Transaction Token: How can a html:form submit a forward

[Peter Pilgrim]

When you transaction token invalid you normally forward
to nice smiling double transaction screen and print a nice error message.

You want to prevent or suggest that user not hit the [BACK] button in the
browser.

I would like to put a simple button "Continue" that forwards to the "promptForm"
page.

if ( !isTokenValid() )  {
 // transaction error
 saveErrors( ... )
 ActionForward fwd = mappings.findForward("transaction-invalid");
 request.setAttribute( "com.db.project.AFTER_TRANSACTION_INVALID", fwd );

 return mapping.findForward( "invalid-form-input" );
}

Do you see what I am doing here? I am finding a forward "transaction-invalid"
to allow the user to go FORWARD rather than BACKWARDS.
In each ActionMapping I can declare a "transaction-invalid" that redirect to
the same action and forward to the "promptForm" screen.


  
  
  


So I would like to write in "invalid-form-input.jsp" something like this




   " >
 Please continue to the restart page
  
   


I know  does not support a forward tag attributes. Any Suggestion?

--
Peter Pilgrim ++44 (0)207-545-9923
  //_\\
"Mathematics is essentially the study of islands of  ===
disparate subjects in a sea of ignorance."   || ! ||
Andrew Wiles __/\/\__||_!_||__



--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Transaction Token without a struts form?

[Krueger, Jeff]

All,

I am working on implementing transaction token so my app can handle when
the user click the back button on the web browser.  Our application doesn't
always use a struts form because we often have to display unknowen number of
rows of data, so that doesn't map well to a form bean.  So sense I don't
always use a struts form tag I don't automatically get the transaction token
put on my page.  I can write a custom tag to do this and it wouldn't be that
tough, but I am curious if anyone else has come across this problem.  You
want to use a struts form, but I don't want to associate a struts form bean
with it?  Also from what I can see there isn't any struts tag to output the
transaction token.  These seems like it might be a good thing for the tag
lib?

Thanks

Jeff

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>