You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Duncan Harris <du...@sapio.co.uk> on 2002/02/14 15:20:00 UTC

Transaction Token check required before form populate

I need my transaction token checking before my form is
populated.

Problem here is that I have indexed properties and the valid index range
may be different at different times. When all is well, the form bean and
the HTML form correspond, but if the user goes back and re-submits then
they may not and I can get out of range exceptions.

I thought I could use the transaction token to guard against this, but
of course it needs doing before the action perform() method is called.

I already have a servlet derived from ActionServlet so I thought I could
do it here, but of course the token checking functions are not available
from here because they are protected.

So it seems I have to copy the token checking code.

Is there a clean way to solve this?

Or maybe STRUTS needs fixing? Should the token checking functions be 
static and public?

Duncan Harris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Ted Husted <hu...@apache.org>.

The autopopulation takes place before the ActionForm gets control, so
that's really not an option. 

The request is passed to validate, and so you could put a token checker
there. 

That does make a certain amount of sense, since it is after all a kind
of validation error. 

But, returning people to input is usually not a solution, since you
usually have to take them someplace where they can recover from the
double-submit faux pas, and move a head. So the Action has to step in
and reroute the request.

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/

Duncan Harris wrote:
> 
> husted@apache.org (Ted Husted) wrote:
> 
> > The usual workflow is to visit an Action before displaying the page.
> > This gives you the opportunity to any number of things, including
> > setting up the tokens.
> 
> There is no problem setting up the token for a response.
> The problem is that as the request comes in I want to validate the token
> *before* Struts attempts to populate the form bean.
> 
> Duncan Harris
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Duncan Harris <du...@sapio.co.uk>.

husted@apache.org (Ted Husted) wrote:

> The usual workflow is to visit an Action before displaying the page.
> This gives you the opportunity to any number of things, including
> setting up the tokens. 

There is no problem setting up the token for a response.
The problem is that as the request comes in I want to validate the token
*before* Struts attempts to populate the form bean.

Duncan Harris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Ted Husted <hu...@apache.org>.

The usual workflow is to visit an Action before displaying the page.
This gives you the opportunity to any number of things, including
setting up the tokens. 

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/


Duncan Harris wrote:
> 
> I need my transaction token checking before my form is
> populated.
> 
> Problem here is that I have indexed properties and the valid index range
> may be different at different times. When all is well, the form bean and
> the HTML form correspond, but if the user goes back and re-submits then
> they may not and I can get out of range exceptions.
> 
> I thought I could use the transaction token to guard against this, but
> of course it needs doing before the action perform() method is called.
> 
> I already have a servlet derived from ActionServlet so I thought I could
> do it here, but of course the token checking functions are not available
> from here because they are protected.
> 
> So it seems I have to copy the token checking code.
> 
> Is there a clean way to solve this?
> 
> Or maybe STRUTS needs fixing? Should the token checking functions be
> static and public?
> 
> Duncan Harris
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Duncan Harris <du...@sapio.co.uk>.

husted@apache.org (Ted Husted) wrote:

> If someone submitted a patch to bugzilla that allowed the generation of
> the token to be switched off on a form by form basis, I'm sure it would
> be considered. 

If I did this, it seems like a good default might be to remove the
transaction token for GET forms. Although this is not backwards
compatible, it probably wouldn't break much at all.

Duncan Harris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Ted Husted <hu...@apache.org>.

One solution would be to write the GET form youself, using bean:write to
populate the the HTML controls. 

If someone submitted a patch to bugzilla that allowed the generation of
the token to be switched off on a form by form basis, I'm sure it would
be considered. 

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Java Web Development with Struts.
-- Tel +1 585 737-3463.
-- Web http://www.husted.com/struts/



Duncan Harris wrote:
> 
> The other thing that seems to be an annoyance is that the
> org.apache.struts.taglib.html.TOKEN parameter gets added for
> all forms on the page if it is set. I don't want this to happen.
> There appears to be no way to easily avoid this without overriding
> and replicating the whole of the FormTag.doStartTag() method.
> 
> Example when I don't want this is I have a main form which is POSTed,
> but an auxiliary navigational form (e.g. drop-down list and Go button)
> which is a GET with a clean URL. However the URL is no longer very clean.
> 
> Duncan Harris
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> duncan@sapio.co.uk (Duncan Harris) wrote:
> 
> > I need my transaction token checking before my form is
> > populated.
> >
> > Problem here is that I have indexed properties and the valid index range
> > may be different at different times. When all is well, the form bean and
> > the HTML form correspond, but if the user goes back and re-submits then
> > they may not and I can get out of range exceptions.
> >
> > I thought I could use the transaction token to guard against this, but
> > of course it needs doing before the action perform() method is called.
> >
> > I already have a servlet derived from ActionServlet so I thought I could
> > do it here, but of course the token checking functions are not available
> > from here because they are protected.
> >
> > So it seems I have to copy the token checking code.
> >
> > Is there a clean way to solve this?
> >
> > Or maybe STRUTS needs fixing? Should the token checking functions be
> > static and public?
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Duncan Harris <du...@sapio.co.uk>.

keithbaconstruts@yahoo.com (Keith) wrote:

> Isn't it easy enough to test which form you came from to decide whether to call
> isTokenValid()?

Not a problem in this respect. The problem is the URL for a GET (see below).

> > However the URL is no longer very clean.

> I don't get what you mean.

It contains something like:

org.apache.struts.taglib.html.TOKEN=32ea43086bf2732216d4eb96bf22d44

which prevents possible caching of the GET request for example.

Duncan Harris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Keith <ke...@yahoo.com>.

Hi Duncan,
Isn't it easy enough to test which form you came from to decide whether to call
isTokenValid()?
> However the URL is no longer very clean.
I don't get what you mean.
Keith.


--- Duncan Harris <du...@sapio.co.uk> wrote:
> 
> The other thing that seems to be an annoyance is that the
> org.apache.struts.taglib.html.TOKEN parameter gets added for
> all forms on the page if it is set. I don't want this to happen.
> There appears to be no way to easily avoid this without overriding
> and replicating the whole of the FormTag.doStartTag() method.
> 
> Example when I don't want this is I have a main form which is POSTed,
> but an auxiliary navigational form (e.g. drop-down list and Go button)
> which is a GET with a clean URL. However the URL is no longer very clean.
> 
> 
> Duncan Harris
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Hartford, Cheshire, U.K., Tel: 07968 060418
> Looking for STRUTS contract work in the U.K.
> 
> 
> 
> duncan@sapio.co.uk (Duncan Harris) wrote:
> 
> > I need my transaction token checking before my form is
> > populated.
> > 
> > Problem here is that I have indexed properties and the valid index range
> > may be different at different times. When all is well, the form bean and
> > the HTML form correspond, but if the user goes back and re-submits then
> > they may not and I can get out of range exceptions.
> > 
> > I thought I could use the transaction token to guard against this, but
> > of course it needs doing before the action perform() method is called.
> > 
> > I already have a servlet derived from ActionServlet so I thought I could
> > do it here, but of course the token checking functions are not available
> > from here because they are protected.
> > 
> > So it seems I have to copy the token checking code.
> > 
> > Is there a clean way to solve this?
> > 
> > Or maybe STRUTS needs fixing? Should the token checking functions be 
> > static and public?
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Transaction Token check required before form populate

Posted by Duncan Harris <du...@sapio.co.uk>.

The other thing that seems to be an annoyance is that the
org.apache.struts.taglib.html.TOKEN parameter gets added for
all forms on the page if it is set. I don't want this to happen.
There appears to be no way to easily avoid this without overriding
and replicating the whole of the FormTag.doStartTag() method.

Example when I don't want this is I have a main form which is POSTed,
but an auxiliary navigational form (e.g. drop-down list and Go button)
which is a GET with a clean URL. However the URL is no longer very clean.

Duncan Harris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hartford, Cheshire, U.K., Tel: 07968 060418
Looking for STRUTS contract work in the U.K.

duncan@sapio.co.uk (Duncan Harris) wrote:

> I need my transaction token checking before my form is
> populated.
> 
> Problem here is that I have indexed properties and the valid index range
> may be different at different times. When all is well, the form bean and
> the HTML form correspond, but if the user goes back and re-submits then
> they may not and I can get out of range exceptions.
> 
> I thought I could use the transaction token to guard against this, but
> of course it needs doing before the action perform() method is called.
> 
> I already have a servlet derived from ActionServlet so I thought I could
> do it here, but of course the token checking functions are not available
> from here because they are protected.
> 
> So it seems I have to copy the token checking code.
> 
> Is there a clean way to solve this?
> 
> Or maybe STRUTS needs fixing? Should the token checking functions be 
> static and public?

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>