There are at least a couple of issues that I can pull out of your problem
description -- here's my thoughts on them.
REUSE OF FORM BEANS
You only have to worry about reuse of the same physical form bean on
multiple requests if you are using session scope to save them in. If you
are using request scope (recommended for performance anyway, because it
reduces the memory load on the server), a new bean gets created populated,
and validated for each request. That still leaves the problem of
detecting when the user submits the "same" form twice ...
DETECTING MULTIPLE SUBMITS
This is a general issue for all web applications, not specific to Struts.
However, Struts provides a solution based on the concept of a "transaction
token" that can be used to easily detect when the user tries something
like this. It works as follows:
* In your Action that sets up the input form, call the method:
saveToken(request)
somewhere along the way, before forwarding to the actual page.
This records a serial number in the user's session.
* When the <html:form> tag actually renders the form, it sees the
serial number and generates a hidden field to include it's value
along with the rest of your fields.
* In the Action that receives the form (after validation), you can
call the method:
isTokenValid(request, true);
to check the token included in the request (if any), and clear the
value saved in the session (which is normally what you want to do).
This method will return false if there is no token at all in the
form, or if the token doesn't match the saved value. The fact that
you are resetting the saved value means that it will also return
false if the user submits a form, presses stop, and submits it again.
I believe that your session synchronization approach isn't necessary to
deal with the particular problem you've described (although it might be
useful for other application-specific reasons). I hesitate to add
something like this to the framework itself, though -- managing
simultaneous requests to the same session has such a wide range of
possible impacts that I don't think a single simple solution is going to
cover all of the use cases. And using request scope for form beans covers
quite a large subset of the possible impacts all by itself (at the cost,
of course, of having to include hidden variables on your forms for
multi-page form beans).
Craig
On Mon, 1 Jul 2002, Marcel Kruzel wrote:
> Date: Mon, 01 Jul 2002 08:46:11 +0200
> From: Marcel Kruzel <[EMAIL PROTECTED]>
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Security issues with Struts
>
> Hello Struts developers,
>
> We are now developing an internet banking
> application with Stuts of course.
> Of course, we are highly concerned
> in possible security holes in the framework
> (or in the application using the framework).
> I believe, there is one, that, when properly
> used, can cause some troubles for developers!
>
> Here it is:
>
> Imagine a scenario, where user submits a form,
> the Struts automatically populate the
> form bean and then
> the validation of the parameters takes place.
> After that, if OK, the perform method is called.
> Here, I already know, that the
> params were ok, so I write the
> transaction to database. The problem here
> is the perform method. When precisely at the
> moment of perform method call user decides
> to submit the form once again (with
> different values of course), the form bean
> is again populated, and possibly wrong
> (not validated) data might be writen to database
> (by the first thread, that is not aware
> of the second submit).
> I am afraid, there is not a possibility to
> synchronize acccess to the form,
> since the population of form bean is automatic.
>
> I know, that the solution to the problem here is
> in the perform method
> to make copy of the parameters and then validate
> them again. Or, I can
> make validation only in the perform method,
> but first I have to remove the
> form bean from session, then validate
> and then write to database, and then possibly
> return that form bean to the session.
>
> Sorry for so long description,
> but I tried to make myself as clear as possible.
>
> My preferred solution to the problem would be:
> In the struts-config.xml put an attribute
> to action, describing, that handling
> such an action requires session synchronization.
> Thus everything, starting from form population
> and ending with "return mapping.findForward(...)"
> would be synchronized on a session object.
> (I do this synchronization on a session
> anyway - in each perform method).
>
> So, what do You think?
>
> Thanx to all contributors
> for such a great framework,
> and enjoy the summer.
>
> Marcel Kruzel
> Czech Republic
>
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
