IsTokenValid() is a tricky thing. I recommend you look at the source code
of this method (from Action) to better understand it. I've included the
relevant source below. The tricky part is, the token needs to exist in two
different places under two different keys for the call to return true. As
far as I know this is completely undocumented, so without examining the
source, you'd never know it. The Token must exist in the session with a key
of Action.TRANSACTION_TOKEN_KEY, and in the request (as a *parameter* not an
attribute) with the key of
org.apache.struts.taglib.html.Constants.TOKEN_KEY.
A call to saveToken() only puts the token in the session. It gets put in
the request as a hidden form field by the html form tag if the Token is
found in the session. Because it is not possible to add a request Parameter
from inside an Action (AFAIK), the token is not immediately useful for
controlling flow between actions during the same request. It is useful for
controlling flow between user requests and actions.
For example, you may have a page and corresponding action that allows a user
to create a new account. The action may look like this:
<snippet>
if(isTokenValid(request)){
resetToken(request);
createAccount(request);
return mapping.findForward("success");
}
else{
saveToken(request);
return mapping.findForward("createNewAccount");
}
</snippet>
If the token is not found in the request, the request will go through the
else block, a token will be saved and the user directed to the appropriate
page for inputting new account data. Assuming a Struts html:form tag is
used on that page, the token will be added appropriately to the request.
When the form is submitted, the request goes through the if block and
creates the account. By resetting the token here, we ensure if the user
clicks back and tries to resubmit the form, the account will not be
re-created. This (IMHO) is the primary use of tokens, to make sure the user
navigates your site as intended and does not use the back button, or a
bookmark get out of sequence.
Sean
//Code from Action class...
protected boolean isTokenValid(HttpServletRequest request) {
// Retrieve the saved transaction token from our session
HttpSession session = request.getSession(false);
if (session == null)
return (false);
String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY);
if (saved == null)
return (false);
// Retrieve the transaction token included in this request
String token = (String) request.getParameter(Constants.TOKEN_KEY);
if (token == null)
return (false);
// Do the values match?
return (saved.equals(token));
}
-----Original Message-----
From: Keith [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 6:07 AM
To: Struts Users Mailing List
Subject: Re: isTokenValid(request) is always returning false
Wild guess here. Can you look at what's in your request parameters?
Maybe - you call saveToken twice without calling isTokenValid between. So
when
you test isTokenValid there are 2 tokens in the request parms & struts
checks
against the 1st one? As I say a wild guess.
--- Antony Stace <[EMAIL PROTECTED]> wrote:
> saveToken() is in the action.equals("checkData") section of code,
> isTokenValid() is in the
> action.equals("saveInDatabase") section of code. The first time the user
> accesses
> this action they hit the checkData section, which has the saveToken, they
do
> not go
> into the saveInDatabase section. The screen which is produced does not
have
> any
> form in it(is this a problem). The user hits the save button and the same
> action.peform
> method is called, only this time action=saveInDatabase
>
> if (action.equals("saveInDatabase") && isTokenValid(request) )
> {
>
> }
>
> section is hopefully run. But it isn't since isTokenValid(request) is
> evaluating to
> false even though in the previous time in this function called
> saveToken(request).
> Why is the isTokenValid(request) evaluating to false even though I
previously
> called
> saveToken(request)
> Thoughs/ideas anyone
>
> Cheers
>
> Tony
>
>
>
>
> On Wed, 13 Feb 2002 06:26:55 -0800 (PST)
> Keith <[EMAIL PROTECTED]> wrote:
>
> > is your code in the right place? In the order you have it the token
isn't
> in
> > the request.
> >
> > at bottom of your page
> > saveToken(request);
> > // - I think this writes a hidden field in your jsp.
> > // which ends up in the request after form is submitted.
> > // send your page
> >
> > at top of page
> > if ( isTokenValid(request)) {
> > tests the token in the request.
> >
> >
> > --- Antony Stace <[EMAIL PROTECTED]> wrote:
> > > Thanks for the reply Mark.
> > >
> > > Well...that piece of code was just a test snippet. I have a problem
in
> an
> > > Action - TestAction (with action = checkData),
> > > in TestAction.perform() the code which handles action=checkData I have
> > >
> > >
> > > if (action.equals("checkData"))
> > > {
> > > saveToken(request);
> > > //populate beans...etc
> > > }
> > >
> > > this populates a number of beans and these are used to display
> information in
> > > a jsp page. This page
> > > is just a confirmation screen for data which was entered in the
previous
> > > screen. When the user hits
> > > the accept button on this page they go to TestAction(but with
> > > action=saveInDatabase). In TestAction.perform()
> > > for action=saveInDatabase I have
> > >
> > > if ( action.equals("saveInDatabase") && isTokenValid(request))
> > > {
> > > //save in database
> > > resetToken(request);
> > > }
> > >
> > > but the trouble is I always have isTokenValid(request) evaluating to
> false,
> > > so this part is always skipped
> > > so the data is not saved in the database :(.
> > >
> > > Cheers
> > >
> > > Tony
> > >
> > > On Wed, 13 Feb 2002 08:04:07 -0500
> > > "Galbreath, Mark" <[EMAIL PROTECTED]> wrote:
> > >
> > > > A false parameter? :-)
> > > >
> > > > Well, for starters, what are you passing into isTokenValid() and
what
> is
> > > the
> > > > method testing for?
> > >
> > > I am passing into isTokenValid() "request" which is one of the
> > > Action.perform() parameters.
> > >
> > > >
> > > > Cheers!
> > > > Mark
> > > >
> > > > Try before you cry:
> > > > http://www.mail-archive.com/struts-user%40jakarta.apache.org/
> > > >
> > > > -----Original Message-----
> > > > From: Antony Stace [mailto:[EMAIL PROTECTED]]
> > > > Sent: Wednesday, February 13, 2002 2:37 AM
> > > >
> > > > What would cause
> > > >
> > > > saveToken(request);
> > > > if ( isTokenValid(request)) {
> > > > System.out.println("isTokenValid(request) true");
> > > > }
> > > > else {
> > > > System.out.println("isTokenValid(request) false");
> > > > }
> > > >
> > > > To always print "isTokenValid(request) false". I am always getting
the
> > > > value of
> > > > isTokenValid(request) being equal to false.
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> > > --
> > >
> > >
> > > Cheers
> > >
> > > Tony__
> > > ---------------------------------------------------------------------
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE Valentine eCards with Yahoo! Greetings!
> > http://greetings.yahoo.com
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
>
>
> Cheers
>
> Tony¡£
> ---------------------------------------------------------------------
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
