Cool, thanks !!!
I agree on the implementation the natural place to put
it was have the form tag create a hidden variable, and that
not every action needs a token.
I am also glad that the tags are no longer final.
"Craig R. McClanahan" wrote:
This actually did get integrated, although not (solely) as a tag.
>
> My thinking, after looking at the various approaches and use cases, was that it
> is really up to an Action to decide when to impose tokens, and to check them.
> Therefore, some additional methods got added to the Action base class to support
> it:
> protected String generateToken(HttpServletRequest request);
> protected boolean isTokenValid(HttpServletRequest request);
> protected void resetToken(HttpServletRequest request);
> protected void saveToken(HttpServletRequest request);
>
> These methods are used in the Struts example application to protect against
> double posting the "Save" transaction -- see the code in EditRegistrationAction
> that sets the token, and in SaveRegistrationAction that checks and then resets
> it. The <html:form> tag automatically creates a hidden variable for the token
> if it has been set, so no changes in the JSP pages themselves are required.
>
> Craig
