Rob Leland wrote:
> Since I haven't seen the TokenTag material that I submitted
> in October 10th, make it into struts I am assuming it won't be in 1.0.
>
> Could we place that on the TODO list for 1.1 ?
> It is definately a valuable utility.
>
> Craig, what was your thinking on it ?
>
> A) Was it going to remain a tag.
> B) Make use of filters ala tomcat 4.0.
> C) Be incorporated into a struts base class.
> D) Be included in the struts user supplied extensions.
This actually did get integrated, although not (solely) as a tag.
My thinking, after looking at the various approaches and use cases, was that it
is really up to an Action to decide when to impose tokens, and to check them.
Therefore, some additional methods got added to the Action base class to support
it:
protected String generateToken(HttpServletRequest request);
protected boolean isTokenValid(HttpServletRequest request);
protected void resetToken(HttpServletRequest request);
protected void saveToken(HttpServletRequest request);
These methods are used in the Struts example application to protect against
double posting the "Save" transaction -- see the code in EditRegistrationAction
that sets the token, and in SaveRegistrationAction that checks and then resets
it. The <html:form> tag automatically creates a hidden variable for the token
if it has been set, so no changes in the JSP pages themselves are required.
Craig
