|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectfc.web.servlet.TransactionToken
public class TransactionToken
Modified version of CommandToken class from the book:
Web dev. with JSP by fields, kolb and bayernUses
JDBCSession
to store data.
Essentially, a token prevents repeating a page action upon back-button, reload, etc of a page. (for example, reprocessing an order if an order page was reloaded). This is done by setting a transaction token as a hidden field in the page we want to protect and also setting the same token in the user session. (This setting is done by other pages/servlets that send the use to the protected page, for example, from an earlier html page). When the protected order page is submitted, the order processing code checks to see if the session-token and the submitted form-token match. If so, the order is run and the session-token deleted.
The next time the protected page is reloaded and submitted, the session-token is missing on the server, hence the submitted form (which still has the earlier token) and session token will not match and hence the order is not rerun.
Thread safety: Methods in this class are not thread safe and should be called via higher level synchronization (typically on the session object for a given user);
Field Summary | |
---|---|
static java.lang.String |
TransactionToken_Key
The token is stored in the session with this key |
Constructor Summary | |
---|---|
TransactionToken()
|
Method Summary | |
---|---|
static void |
create(java.sql.Connection con,
java.lang.String sessionID)
Creates a new transactional token. |
static boolean |
isValid(java.sql.Connection con,
java.lang.String sessionID,
javax.servlet.http.HttpServletRequest req)
Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a
corresponding token in the session. |
static void |
main(java.lang.String[] args)
|
static void |
revoke(java.sql.Connection con,
java.lang.String sessionID)
Revokes the transactionID (if any) from the session data |
Methods inherited from class java.lang.Object |
---|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final java.lang.String TransactionToken_Key
Constructor Detail |
---|
public TransactionToken()
Method Detail |
---|
public static void create(java.sql.Connection con, java.lang.String sessionID) throws java.sql.SQLException
con
- connection to database used by JDBCSession
sessionID
- the sessionID of the client
java.lang.IllegalStateException
- if the specified sessionID is expired/not valid
java.sql.SQLException
public static void revoke(java.sql.Connection con, java.lang.String sessionID) throws java.sql.SQLException
session
- the JDBC session to save the token tosessionID
- the sessionID of the client
java.sql.SQLException
public static boolean isValid(java.sql.Connection con, java.lang.String sessionID, javax.servlet.http.HttpServletRequest req) throws java.sql.SQLException
TransactionToken_Key
and tries to match it with a
corresponding token in the session. Returns true if the
tokens match (and hence the token is valid), false
otherwise.
java.sql.SQLException
public static void main(java.lang.String[] args) throws java.lang.Exception
java.lang.Exception
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |