Hi all thanks for your answers. I was indeed talking about ActionForm (sorry we use to call that a bean here :-)).
What I understand from our discussion is: -Thant I Can use javascript to avoid duplicate submit: Works well when deployed in a trusted environment like intranet. (But no server side protection...) -There is no way to avoid ActionForm with session scope to be populated with data comming from an invalid request (with a bad token). -To solve that I can subclass the request processor. -Maybe I can use web filter ... but i don't think I will have access to all struts ressources. I think the best way to handle the problem on the server is to have a Handler (Something that can work as Exception Handler works in Struts 1.1. ) called by the struts framework prior to populate the bean. This handler can do any checks like checking if the user is logged or checking if a valid token in the request is present :-). Anyway, thanks for you help! /David > > >It's up to your Action to call the token methods to validate the > > >token and forward the user to an appropriate page. > > > > > > I know, maybe I wasn't clear enough .. sorry :-) >What I'm saying is that if you use a > session bean, the content is modified even though the >token is invalid.. I thinks this should not happen. By session bean, do you mean EJB or an ActionForm stored in the session? I haven't tried this but maybe you could put the token check in the form's validate method but that also happens after the form bean is populated. The token is currently viewed as a piece of form data for the Action to handle and not the framework. Allowing actions to check the token gives people the flexibility of deciding what to do with the user in various situations. David > > I'm working on an intranet application and I'm using > session beans (Maybe I shouldn't). Right now if the > user does a double click. The first request passes >and the second request populates the bean while the >first request is been processed ... This is a little >race :-). > > I don't think Struts offers an easy way to avoid > this... maybe I'm wrong ... > > Thanks > /David > > > > > > David > > --- David Gagnon <[EMAIL PROTECTED]> wrote: > > > Hi all, > > > > > > > > > If you have a session bean and you are using > > the > > > token framework to protect yourself again > > multiple > > > submit... > > > > > > > > > Let say a request with a bad token is post to the > > > server. The bean will be populated right ... > > even > > > if > > > the token is not valid. Is struts offers support > > > to > > > check if a request contains a valid token prior > > to > > > populate the bean. For what I know you the > > sooner > > > you > > > can play with token in struts is in the reset > > > method > > > of the bean (It may not be the best place to play > > > with > > > token anyway...). > > > > > > > > > Is a request with a bad or no token should be > > > redirect > > > by the framework to a handler. Like it's done > > with > > > the Exception in Struts? I think there should > > have > > > a > > > way to avoid changing the server state on bad > > > request > > > ... > > > > > > > > > My guest is that you already know about all that > > > :-) > > > ... or that there is something to prevent this > > that > > > I'm not aware of. > > > > > > > > > Thanks for your help > > > > > > > > > /Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > SBC Yahoo! DSL - Now only $29.95 per month! > > > http://sbc.yahoo.com > > > > > > > > > __________________________________ > > Do you Yahoo!? > > SBC Yahoo! DSL - Now only $29.95 per month! > > http://sbc.yahoo.com > > > >__________________________________ >Do you Yahoo!? >SBC Yahoo! DSL - Now only $29.95 per month! >http://sbc.yahoo.com > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]