> This (IMHO) is the primary use of tokens, to make sure the user
> navigates your site as intended and does not use the back button, or a
> bookmark get out of sequence.
(IMHO) your humble opinion is absolutely right except it's the only use of
tokens.
Note that data entry forms don't always need them. If they are written so they
have no 'state' info in the session (all the data is on the form) you can let
the user use the back button.
--- "Pritchard, Sean" <[EMAIL PROTECTED]> wrote:
> IsTokenValid() is a tricky thing. I recommend you look at the source code
> of this method (from Action) to better understand it. I've included the
> relevant source below. The tricky part is, the token needs to exist in two
> different places under two different keys for the call to return true. As
> far as I know this is completely undocumented, so without examining the
> source, you'd never know it. The Token must exist in the session with a key
> of Action.TRANSACTION_TOKEN_KEY, and in the request (as a *parameter* not an
> attribute) with the key of
> org.apache.struts.taglib.html.Constants.TOKEN_KEY.
>
> A call to saveToken() only puts the token in the session. It gets put in
> the request as a hidden form field by the html form tag if the Token is
> found in the session. Because it is not possible to add a request Parameter
> from inside an Action (AFAIK), the token is not immediately useful for
> controlling flow between actions during the same request. It is useful for
> controlling flow between user requests and actions.
>
> For example, you may have a page and corresponding action that allows a user
> to create a new account. The action may look like this:
>
> <snippet>
> if(isTokenValid(request)){
> resetToken(request);
> createAccount(request);
> return mapping.findForward("success");
> }
> else{
> saveToken(request);
> return mapping.findForward("createNewAccount");
> }
> </snippet>
>
> If the token is not found in the request, the request will go through the
> else block, a token will be saved and the user directed to the appropriate
> page for inputting new account data. Assuming a Struts html:form tag is
> used on that page, the token will be added appropriately to the request.
> When the form is submitted, the request goes through the if block and
> creates the account. By resetting the token here, we ensure if the user
> clicks back and tries to resubmit the form, the account will not be
> re-created. This (IMHO) is the primary use of tokens, to make sure the user
> navigates your site as intended and does not use the back button, or a
> bookmark get out of sequence.
>
> Sean
>
> //Code from Action class...
>
> protected boolean isTokenValid(HttpServletRequest request) {
>
> // Retrieve the saved transaction token from our session
> HttpSession session = request.getSession(false);
> if (session == null)
> return (false);
> String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY);
> if (saved == null)
> return (false);
>
> // Retrieve the transaction token included in this request
> String token = (String) request.getParameter(Constants.TOKEN_KEY);
> if (token == null)
> return (false);
>
> // Do the values match?
> return (saved.equals(token));
>
> }
>
> -----Original Message-----
> From: Keith [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 14, 2002 6:07 AM
> To: Struts Users Mailing List
> Subject: Re: isTokenValid(request) is always returning false
>
>
> Wild guess here. Can you look at what's in your request parameters?
> Maybe - you call saveToken twice without calling isTokenValid between. So
> when
> you test isTokenValid there are 2 tokens in the request parms & struts
> checks
> against the 1st one? As I say a wild guess.
>
>
> --- Antony Stace <[EMAIL PROTECTED]> wrote:
> > saveToken() is in the action.equals("checkData") section of code,
> > isTokenValid() is in the
> > action.equals("saveInDatabase") section of code. The first time the user
> > accesses
> > this action they hit the checkData section, which has the saveToken, they
> do
> > not go
> > into the saveInDatabase section. The screen which is produced does not
> have
> > any
> > form in it(is this a problem). The user hits the save button and the same
> > action.peform
> > method is called, only this time action=saveInDatabase
> >
> > if (action.equals("saveInDatabase") && isTokenValid(request) )
> > {
> >
> > }
> >
> > section is hopefully run. But it isn't since isTokenValid(request) is
> > evaluating to
> > false even though in the previous time in this function called
> > saveToken(request).
> > Why is the isTokenValid(request) evaluating to false even though I
> previously
> > called
> > saveToken(request)
> > Thoughs/ideas anyone
> >
> > Cheers
> >
> > Tony
> >
> >
> >
> >
> > On Wed, 13 Feb 2002 06:26:55 -0800 (PST)
> > Keith <[EMAIL PROTECTED]> wrote:
> >
> > > is your code in the right place? In the order you have it the token
> isn't
> > in
> > > the request.
> > >
> > > at bottom of your page
> > > saveToken(request);
> > > // - I think this writes a hidden field in your jsp.
> > > // which ends up in the request after form is submitted.
> > > // send your page
> > >
> > > at top of page
> > > if ( isTokenValid(request)) {
> > > tests the token in the request.
> > >
> > >
> > > --- Antony Stace <[EMAIL PROTECTED]> wrote:
> > > > Thanks for the reply Mark.
> > > >
> > > > Well...that piece of code was just a test snippet. I have a problem
> in
> > an
> > > > Action - TestAction (with action = checkData),
> > > > in TestAction.perform() the code which handles action=checkData I have
>
> > > >
> > > >
> > > > if (action.equals("checkData"))
> > > > {
> > > > saveToken(request);
> > > > //populate beans...etc
> > > > }
> > > >
> > > > this populates a number of beans and these are used to display
> > information in
> > > > a jsp page. This page
> > > > is just a confirmation screen for data which was entered in the
> previous
> > > > screen. When the user hits
> > > > the accept button on this page they go to TestAction(but with
> > > > action=saveInDatabase). In TestAction.perform()
> > > > for action=saveInDatabase I have
> > > >
> > > > if ( action.equals("saveInDatabase") && isTokenValid(request))
> > > > {
> > > > //save in database
> > > > resetToken(request);
> > > > }
> > > >
> > > > but the trouble is I always have isTokenValid(request) evaluating to
> > false,
> > > > so this part is always skipped
> > > > so the data is not saved in the database :(.
> > > >
> > > > Cheers
> > > >
> > > > Tony
> > > >
> > > > On Wed, 13 Feb 2002 08:04:07 -0500
> > > > "Galbreath, Mark" <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > A false parameter? :-)
> > > > >
> > > > > Well, for starters, what are you passing into isTokenValid() and
> what
> > is
> > > > the
> > > > > method testing for?
> > > >
> > > > I am passing into isTokenValid() "request" which is one of the
> > > > Action.perform() parameters.
> > > >
> > > > >
> > > > > Cheers!
> > > > > Mark
> > > > >
> > > > > Try before you cry:
> > > > > http://www.mail-archive.com/struts-user%40jakarta.apache.org/
> > > > >
> > > > > -----Original Message-----
> > > > > From: Antony Stace [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Wednesday, February 13, 2002 2:37 AM
> > > > >
> > > > > What would cause
> > > > >
> > > > > saveToken(request);
> > > > > if ( isTokenValid(request)) {
> > > > > System.out.println("isTokenValid(request) true");
> > > > > }
> > > > > else {
> > > > > System.out.println("isTokenValid(request) false");
> > > > > }
> > > > >
> > > > > To always print "isTokenValid(request) false". I am always getting
> the
> > > > > value of
> > > > > isTokenValid(request) being equal to false.
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > <mailto:[EMAIL PROTECTED]>
> > > > > For additional commands, e-mail:
> > > > <mailto:[EMAIL PROTECTED]>
> > > >
> > > >
> > > > --
> > > >
> > > >
> > > > Cheers
> > > >
> > > > Tony__
> > > > ---------------------------------------------------------------------
> > > >
> > > >
> > > > _________________________________________________________
> > > > Do You Yahoo!?
> > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Send FREE Valentine eCards with Yahoo! Greetings!
> > > http://greetings.yahoo.com
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> >
> > --
> >
> >
> > Cheers
> >
> > Tony¡£
> > ---------------------------------------------------------------------
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE Valentine eCards with Yahoo! Greetings!
> http://greetings.yahoo.com
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
