struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Does struts use tokens along with .do commands? (Was :RE: Is struts a hybrid or page-centric and servlet-centric design?)
Date Tue, 19 Sep 2000 18:05:02 GMT
"Leland, Robert" wrote:

> > I would agree with that characterization, but I haven't read
> > the book -- only the quote you cited.
>
> Chapter 8 ties right in with struts.
> <Promo> Source code @ www.taglib.com,$12 online book </Promo>
>
> QUESTION:
> Can struts handle multiple windows open for the same user
> session ?

I have found this to be one of the most complicated areas to deal with in
webapp design.  The key issue is that the various windows will be considered
part of the same session under virtually all circumstances.  So the real issue
becomes "does my application deal correctly with multiple flows of control
operating in the same session at the same time?"  This is where it gets tricky.



> In WDJSP each command he sent from the servlet to the
> JSP page contained a token, a time stamp with md5 encoding.
> So commands can only be performed only once, and could also be made to
> timeout after a while.
>

Struts doesn't have any particular support for this technique, although it
sounds like the same principles would apply.  One thing you can look at,
though, is running your application session-less, using only request attributes
instead.  This takes a little more work to set up (your forms and form beans
need to carry around any state info you need as hidden variables), but it
elegantly deals with the multi-window scenario, because the flow of control for
each window is independent.

You could still use a session for stuff that is shared between windows.

>
> For fear of misquoting again, here is the 'exact' quote P229, talking about
> transaction integrity, any spelling mistakes are mine.
>
> <Quote>
>
> As we discussed earlier, web applications suffer somewhat
> from stateless request/response mature of HTTP protocol.
> Reloading a page or clicking the back button can reissue
> requests or call them out of sequence--something we
> want to be sure to catch in a mission-critical application.
>
> One way to solve this continuity problem is by recording a
> token in the user's session upon completion of activity
> prerequisites and requiring this token in the second step.
> When a request comes in to perform the second step of the
> transaction, the servlet can first verify that the
> prerequisite has been met by retrieving the token from the
> session. Once completed, the token is removed from the session.
> A token then gives the ability to perform the action, but only
> once. Secondary requests will find no matching tpken and can
> raise an exception. Depending on your application's
> requirements you can maintain either a list of tokens - which
> would simultaneously support multiple browser windoes from the
> same user--or a single token, which is overwritten each time.
>
> </Quote>
>

Using the token by itself will deal with "submit the same form more than once"
type problems, but it does not deal with the multi-window situation.  In most
circumstances, the multiple windows will all be sharing the same session.  This
is also true, by the way, of frames in a framed presentation.

>
> In your example login.jsp
> <struts:form action="logon.do" name="logonForm" focus="username"
>
> the runtime .jsp source expands to:
>
> <form name="logonForm" method="POST"
> action="logon.do;jsessionid=To1010mC07384516023658427At">
>
> Is 'jsessionid' just the session ID or does it contain
> some type of token from struts ?
>

It is just the session identifier, using the standard servlet container
facilities for URL rewriting.  The Struts tags do a response.encodeURL() call
for you whenever they take a URL as an argument.

Tokens are something that you would need to deal with yourself -- most likely
by creating a form bean property to hold it, and using the <struts:hidden/> tag
to make sure it is included with the rest of the submitted data.

>
> -Rob

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat



Mime
View raw message