Class TransactionToken
Web dev. with JSP by fields, kolb and bayernUses
JDBCSession
to store data.
Essentially, a token prevents repeating a page action upon back-button, reload, etc of a page. (for example, reprocessing an order if an order page was reloaded). This is done by setting a transaction token as a hidden field in the page we want to protect and also setting the same token in the user session. (This setting is done by other pages/servlets that send the use to the protected page, for example, from an earlier html page). When the protected order page is submitted, the order processing code checks to see if the session-token and the submitted form-token match. If so, the order is run and the session-token deleted.
The next time the protected page is reloaded and submitted, the session-token is missing on the server, hence the submitted form (which still has the earlier token) and session token will not match and hence the order is not rerun.
Thread safety: Methods in this class are not thread safe and should be called via higher level synchronization (typically on the session object for a given user);
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
The token is stored in the session with this key -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic void
create
(Connection con, String sessionID) Creates a new transactional token.static boolean
isValid
(Connection con, String sessionID, jakarta.servlet.http.HttpServletRequest req) Searches for a token in the request (under the parameter nameTransactionToken_Key
and tries to match it with a corresponding token in the session.static void
static void
revoke
(Connection con, String sessionID) Revokes the transactionID (if any) from the session data
-
Field Details
-
TransactionToken_Key
The token is stored in the session with this key- See Also:
-
-
Constructor Details
-
TransactionToken
public TransactionToken()
-
-
Method Details
-
create
Creates a new transactional token. Tokens are unique per session. Calling this method more than once will replace a prior token in (if any) in the session.- Parameters:
con
- connection to database used byJDBCSession
sessionID
- the sessionID of the client- Throws:
IllegalStateException
- if the specified sessionID is expired/not validSQLException
-
revoke
Revokes the transactionID (if any) from the session data- Parameters:
sessionID
- the sessionID of the clientsession
- the JDBC session to save the token to- Throws:
SQLException
-
isValid
public static boolean isValid(Connection con, String sessionID, jakarta.servlet.http.HttpServletRequest req) throws SQLException Searches for a token in the request (under the parameter nameTransactionToken_Key
and tries to match it with a corresponding token in the session. Returns true if the tokens match (and hence the token is valid), false otherwise.- Throws:
SQLException
-
main
-