Class TransactionToken

java.lang.Object
fc.web.servlet.TransactionToken

public class TransactionToken extends Object
Modified version of CommandToken class from the book:
Web dev. with JSP by fields, kolb and bayern
Uses JDBCSession to store data.

Essentially, a token prevents repeating a page action upon back-button, reload, etc of a page. (for example, reprocessing an order if an order page was reloaded). This is done by setting a transaction token as a hidden field in the page we want to protect and also setting the same token in the user session. (This setting is done by other pages/servlets that send the use to the protected page, for example, from an earlier html page). When the protected order page is submitted, the order processing code checks to see if the session-token and the submitted form-token match. If so, the order is run and the session-token deleted.

The next time the protected page is reloaded and submitted, the session-token is missing on the server, hence the submitted form (which still has the earlier token) and session token will not match and hence the order is not rerun.

Thread safety: Methods in this class are not thread safe and should be called via higher level synchronization (typically on the session object for a given user);

  • Field Details

  • Constructor Details

  • Method Details

    • create

      public static void create(Connection con, String sessionID) throws SQLException
      Creates a new transactional token. Tokens are unique per session. Calling this method more than once will replace a prior token in (if any) in the session.
      Parameters:
      con - connection to database used by JDBCSession
      sessionID - the sessionID of the client
      Throws:
      IllegalStateException - if the specified sessionID is expired/not valid
      SQLException
    • revoke

      public static void revoke(Connection con, String sessionID) throws SQLException
      Revokes the transactionID (if any) from the session data
      Parameters:
      sessionID - the sessionID of the client
      session - the JDBC session to save the token to
      Throws:
      SQLException
    • isValid

      public static boolean isValid(Connection con, String sessionID, jakarta.servlet.http.HttpServletRequest req) throws SQLException
      Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a corresponding token in the session. Returns true if the tokens match (and hence the token is valid), false otherwise.
      Throws:
      SQLException
    • main

      public static void main(String[] args) throws Exception
      Throws:
      Exception