[Struts] Token Usage and principle

Struts Token Usage

1, first call the Savetoken (HttpServletRequest request) method in an action. Then turn to the JSP page with the form.

2, in the JSP page submit the form to an action, and then the action is to make a duplicate submission of the judgment.

if (Istokenvalid (request, True)) {

What you should do when you do not repeat the commit

Return Mapping.findforward ("Success");

} else {

What you need to do when you repeat a commit

Savetoken (Request);

Return Mapping.findforward ("error");

}

Struts Token Mechanism:

1, called by the first action Savetoken (HttpServletRequest request), this method is implemented internally as follows:

protected void Savetoken (HttpServletRequest request) {

Token.savetoken (Request);

}

Token.savetoken (Request);

The implementation of this method is as follows:

Public synchronized void Savetoken (HttpServletRequest request) {



HttpSession session = Request.getsession ();

String token = generatetoken (request);

if (token! = null) {

Session.setattribute (Globals.transaction_token_key, TOKEN);

}

}

This method calls the Generatetoken method implementation as follows:

Public synchronized void Savetoken (HttpServletRequest request) {



HttpSession session = Request.getsession ();

String token = generatetoken (request);

if (token! = null) {

Session.setattribute (Globals.transaction_token_key, TOKEN);

}

}

When the Generatetoken is complete, the resulting unique value is setattribute to the session.

Session.setattribute (Globals.transaction_token_key, TOKEN);

The value of the Globals.transaction_token_key is: "Org.apache.struts.action.TOKEN"

Then jump to the JSP page.

2, the JSP page of Struts Custom label

The doStartTag () method of this class invokes the RenderToken () method of this class.

Protected String RenderToken () {

StringBuffer results = new StringBuffer ();

HttpSession session = Pagecontext.getsession ();



if (session! = NULL) {

String token =

(String) Session.getattribute (Globals.transaction_token_key);



if (token! = null) {

Results.append ("<input type=\" hidden\ "name=\" ");

Results.append (Constants.token_key);

Results.append ("\" value=\ "");

Results.append (token);

if (this.isxhtml ()) {

Results.append ("\"/> ");

} else {

Results.append ("\" > ");

}

}

}



return results.tostring ();

}

This will generate a similar

<input type= "hidden" name= "Org.apache.struts.taglib.html.TOKEN"
Value= "6aa35341f25184fd996c4c918255c3ae" >

The hidden label.

Then submit to an action, using the Istokenvalid () method in action to compare the value of this key of "Org.apache.struts.action.TOKEN" in the session and the " Org.apache.struts.action.TOKEN "This value is consistent.

If true, then the proof can be submitted. If False, the proof is repeated and no commit is allowed.

[Struts] Token Usage and principle