Struts token mechanism

The struts synchronization token mechanism is used to solve the problem of repeated submission in Web applications. The basic principle of this method is that the server will compare the token value in the request with the token value saved in the current user session to see if the request matches. After the request is processed and the response is sent to the client, a new token is generated. The token is not sent to the client, the old tokens saved in the user session will also be replaced. In this way, if the user will return to the submission page and submit it again, the token value passed by the client is inconsistent with that sent by the server, effectively preventing repeated submission.

Whether the value of organization. Token is equal to the value of org. Apache. Struts. Action. Token in the current session. If the value is equal, it is submitted normally. If the value is not equal, it is submitted repeatedly.

Next, let's take a look at the next complete operation process, which is easy to understand:
First, we need to understand the situations in which repeated commits occur and the situations in which repeated commits need to be processed. The repeated submission we want to solve is generally considered when a user inserts a new record. The repeated submission of the modification record is not considered because the record itself has an ID, repeated submission only updates the same record of the database and does not affect data correctness. If a new record is inserted, the same record will be inserted repeatedly in the database, which will generate redundant record records in the database. When we want to insert a record, we will take two steps. The first step is to open the page for adding a record. Step 2: Fill in the relevant information on the open page, and then submit the information.
Step 1: If we open the Add record operation, the add method will complete the operation,CodeAs follows:
Public actionforward add (actionmapping mapping, actionform form,
Httpservletrequest request, httpservletresponse response ){
This. savetoken (request); // This method is used to generate the token value, which is an existing struts method.
Return Mapping. findforward ("add"); // return to the new page

}
Call savetoken (request) to generate a token value. (Note: each time the savetoken method is called, the token values are different.) then, an implicit form field is added to the <HTML: Form> Field on the record addition page. The format is as follows:
<Div>

<Input type = "hidden" name = "org.apache.struts.taglib.html. Token"

Value = "8b2d950f23b02c527988a14171254025">

</Div>
Then, save the token value "8b2d950f23b02c527988a14171254025" to the current session, that is, session. setattribute ("org. Apache. Struts. Action. Token", "token ");

Step 2: If the Save method is used to submit data on this page, the Code is as follows:
Public actionforward save (actionmapping mapping, actionform form,
Httpservletrequest request, httpservletresponse response ){
If (this. istokenvalid (request) {// submit this. resettoken (request) normally; // clear the token value in the current session
Return Mapping. findforward ("success"); // return to the successfully saved page.
} Else {// submit again
This. savetoken (request); // Note: This method can or cannot be used here.
Return Mapping. findforward ("fail"); // return the repeated submission prompt page
}

}< br> the key to determining whether to submit a request repeatedly is the istokenvalid (request) method provided by struts. If the returned result is true, the request is submitted normally, if the value is false, the request is submitted repeatedly. The istokenvalid (request) method actually does three things:
1. determines whether the current session has expired. If it has expired, false is returned.
httpsession session = request. getsession (false);
If (session = NULL) {
return false;
}< br> 2. then determine whether the current session has the token attribute "org. apache. struts. action. token ". If it does not exist, false is returned.
string saved = (string) session. getattribute ("org. apache. struts. action. token ");
If (saved = NULL) {
return false; why is the token attribute" org. apache. struts. action. Token "does not exist, because after the user submits the request normally, it will call this. resettoken (request); // clear the token value in the current session. That is to say, session. removeattribute ("org. Apache. Struts. Action. Token") is called in the resettoken (request) method;

When the user submits the request repeatedly, I say "This. savetoken (request); // This method can or cannot be used here. ", Let's divide

Analysis, if you do not call this method, the token value will not be retained in the session, so when you refresh it, the token in the session
The value is always null, and istokenvalid (request) returns false directly. If you call this. savetoken (request,

The value of the token attribute is added to the session. At this time, istokenvalid (request) will judge the third step below.
3. the token value obtained from the current session is compared with the token value obtained in the current request. If the value is the same, true is returned. Otherwise, false is returned.
String token = request. getparameter ("org.apache.struts.taglib.html. Token ");
If (token = NULL ){
Return false; return saved. Equals (token );

If the refresh is repeated, the token value in each request is the same, but the token value in the current session is re-replaced each time, so false is returned.

Note: when using the struts form submission token mechanism, the submitted form must be written as <HTML: Form>