Or.....you could utilize the isTokenValid() in the action class. http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=struts+istokenvalid
James Mitchell Software Engineer\Struts Evangelist Struts-Atlanta, the "Open Minded Developer Network" http://www.open-tools.org/struts-atlanta > -----Original Message----- > From: Hal Deadman [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 01, 2002 9:49 AM > To: 'Struts Developers List' > Subject: RE: Security issues with Struts > > > This does sounds like a problem if you use session scoped forms. > It seems to > me like a good reason not to use session scoped forms and another > reason to > minimize use of the session in general. Sessions have other problems that > arise when a user opens multiple browsers for example. It also argues for > ensuring that your model layer code doesn't rely on validation done in the > presentation layer (especially if it's an internet banking application). I > am not saying your idea for session synchronization wouldn't work but you > could work around it and you would probably be better off in the end. > > Hal > > > -----Original Message----- > > From: Marcel Kruzel [mailto:[EMAIL PROTECTED]] > > Sent: Monday, July 01, 2002 2:46 AM > > To: [EMAIL PROTECTED] > > Subject: Security issues with Struts > > > > > > Hello Struts developers, > > > > We are now developing an internet banking > > application with Stuts of course. > > Of course, we are highly concerned > > in possible security holes in the framework > > (or in the application using the framework). > > I believe, there is one, that, when properly > > used, can cause some troubles for developers! > > > > Here it is: > > > > Imagine a scenario, where user submits a form, > > the Struts automatically populate the > > form bean and then > > the validation of the parameters takes place. > > After that, if OK, the perform method is called. > > Here, I already know, that the > > params were ok, so I write the > > transaction to database. The problem here > > is the perform method. When precisely at the > > moment of perform method call user decides > > to submit the form once again (with > > different values of course), the form bean > > is again populated, and possibly wrong > > (not validated) data might be writen to database > > (by the first thread, that is not aware > > of the second submit). > > I am afraid, there is not a possibility to > > synchronize acccess to the form, > > since the population of form bean is automatic. > > > > I know, that the solution to the problem here is > > in the perform method > > to make copy of the parameters and then validate > > them again. Or, I can > > make validation only in the perform method, > > but first I have to remove the > > form bean from session, then validate > > and then write to database, and then possibly > > return that form bean to the session. > > > > Sorry for so long description, > > but I tried to make myself as clear as possible. > > > > My preferred solution to the problem would be: > > In the struts-config.xml put an attribute > > to action, describing, that handling > > such an action requires session synchronization. > > Thus everything, starting from form population > > and ending with "return mapping.findForward(...)" > > would be synchronized on a session object. > > (I do this synchronization on a session > > anyway - in each perform method). > > > > So, what do You think? > > > > Thanx to all contributors > > for such a great framework, > > and enjoy the summer. > > > > Marcel Kruzel > > Czech Republic > > > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>