Comments on: Struts and Synchronizer Token

By: Anders

Anders — Thu, 24 Nov 2005 11:06:16 +0000

It’s not much more code you need than what’s in the blogentry. You just have to grok how to incorporate it into your own code. Read the docs people.

By: Amey

Amey — Wed, 09 Nov 2005 13:20:39 +0000

Does ne 1 have a working code for synchronizer token? I am new to Struts.
Your help is appreciated.
I was pulling my hair off for this prob..
Thanks
Amey.

By: Anonymous

Anonymous — Wed, 31 Aug 2005 13:59:31 +0000

The technical part of this can be easily implemented. For each form, there are two random keys. 1 key is used as key, while another as value. They are stored as hidden field, and also in the session object. When user submit, the system sync the session, use the 1st key to look up for the 2nd. If found, then remove both from the session. If not, then this is a resubmit. The next time the form is requested, a new pair of keys is generated. The only problem with this is that memory may get leaked. A simple solution is to limit the number of keys per form. Another is to have it removed after certain wait time.

By: Anonymous

Anonymous — Fri, 15 Apr 2005 18:37:52 +0000

As dan said, there is only one way to solve this.

Restrict the user to work on one page at a time.
When token is issued to the user, store it in Session, irrespective of whether last token was sent back by the user.

In this way, if user open new window a new token is issued to him, and the last one becomes invalid. and so the first window form.

hope this helps

By: dan

dan — Tue, 08 Mar 2005 15:54:39 +0000

I have implemented a locking on the session as a whole so that only one request can be done per user. This loses some performance on read-only calls that could have been served, but I am willing to trade that in in exchange for maintenance and simplicity. The code I use is:

public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { if (sessionLock.lock(request)) { try { ActionForward af = super.execute(mapping, form, request, response);


				return af;

			}

			catch (Exception e)

			{

				throw e;

			}

			finally

			{

				sessionLock.unlock(request);

			}

		}

// should be a nice page asking user to be patient return null; }

By: Anders

Anders — Tue, 31 Aug 2004 06:51:36 +0000

I’m completely aware of it, and I’ve been playing around with the thought of contributing. But right now I can’t really find the time to. I wish I could though.

By: Craig McClanahan

Craig McClanahan — Tue, 31 Aug 2004 04:13:18 +0000

It is much more likely that such a feature would be implemented if someone (especially someone who believed it to be “not a big problem” to implement were to file an enhancement request in the bug tracking system, and then add a patch (as an attachment) that implements the requested feature.