fc.web.servlet

Class TransactionToken

java.lang.Object

fc.web.servlet.TransactionToken

public class TransactionToken
extends Object

Modified version of CommandToken class from the book:

Web dev. with JSP by fields, kolb and bayern

Uses JDBCSession to store data.

Essentially, a token prevents repeating a page action upon back-button, reload, etc of a page. (for example, reprocessing an order if an order page was reloaded). This is done by setting a transaction token as a hidden field in the page we want to protect and also setting the same token in the user session. (This setting is done by other pages/servlets that send the use to the protected page, for example, from an earlier html page). When the protected order page is submitted, the order processing code checks to see if the session-token and the submitted form-token match. If so, the order is run and the session-token deleted.

The next time the protected page is reloaded and submitted, the session-token is missing on the server, hence the submitted form (which still has the earlier token) and session token will not match and hence the order is not rerun.

Thread safety: Methods in this class are not thread safe and should be called via higher level synchronization (typically on the session object for a given user);

Field Summary

Fields

Modifier and Type	Field and Description
static String	TransactionToken_Key The token is stored in the session with this key

Constructor Summary

Constructors

Constructor and Description
TransactionToken()

Method Summary

Modifier and Type	Method and Description
static void	create(Connection con, String sessionID) Creates a new transactional token.
static boolean	isValid(Connection con, String sessionID, javax.servlet.http.HttpServletRequest req) Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a corresponding token in the session.
static void	main(String[] args)
static void	revoke(Connection con, String sessionID) Revokes the transactionID (if any) from the session data

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TransactionToken_Key

public static final String TransactionToken_Key

The token is stored in the session with this key

See Also:

Constant Field Values

Constructor Detail

TransactionToken

public TransactionToken()

Method Detail

create

public static void create(Connection con,
                          String sessionID)
                   throws SQLException

Creates a new transactional token. Tokens are unique per session. Calling this method more than once will replace a prior token in (if any) in the session.

Parameters:

con - connection to database used by JDBCSession

sessionID - the sessionID of the client

Throws:

IllegalStateException - if the specified sessionID is expired/not valid

SQLException

revoke

public static void revoke(Connection con,
                          String sessionID)
                   throws SQLException

Revokes the transactionID (if any) from the session data

Parameters:

session - the JDBC session to save the token to

sessionID - the sessionID of the client

Throws:

SQLException

isValid

public static boolean isValid(Connection con,
                              String sessionID,
                              javax.servlet.http.HttpServletRequest req)
                       throws SQLException

Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a corresponding token in the session. Returns true if the tokens match (and hence the token is valid), false otherwise.

Throws:

SQLException

main

public static void main(String[] args)
                 throws Exception

Throws:

Exception