Struts 2 token interceptor can be used to handle multiple form submission problem. While designing web application, sometimes we have to make sure that double form submission is treated as duplicate request and not be processed. For example, if user reloads the online payment form and there are not enough checks in place to identify it as duplicate request, customer will be charged twice.
Double form submission problem handling needs to be done both at client side and server side. In client side, we can disable the submit button, disable back button but there will always be options through which user can send the form data again. Struts2 provides token interceptors that are designed to deal with this particular problem.
There are two interceptors defined in struts-default package as:
在struts-default软件包中定义了两个拦截器,它们是:
These interceptors are not part of any predefined interceptor stack because if we add it for any action, the form submitted should have a token parameter else it will throw exception. We will look it’s usage with a simple project. Final project structure will look like below image.
We can use either token interceptor or tokenSession interceptor with any action. 我们可以对任何动作使用token拦截器或tokentokenSession拦截器。
If token interceptor identifies the request as duplicate, then it returns the result invalid.token, that’s why we have a result configured for this. 如果token拦截器将请求标识为重复请求,则它将返回结果invalid.token,这就是我们为此配置结果的原因。
If form field validation fails then input result is returned where we are returning the same page from where we get the request. 如果表单字段验证失败,那么将在我们返回请求的同一页面上返回输入结果。
We will look into the complete flow once we have seen the implementation and application behavior with duplicate request.
一旦看到重复请求的实现和应用程序行为,我们将研究完整的流程。
Struts2令牌拦截器示例操作类 (Struts2 Token Interceptor Example Action Class)
UpdateUserAction.java
UpdateUserAction.java
package com.journaldev.struts2.actions;import java.util.Date;import com.opensymphony.xwork2.ActionSupport;public class UpdateUserAction extends ActionSupport { @Override public String execute() { System.out.println("Update Request Arrived to Action Class"); //setting update time in action class setUpdateTime(new Date()); return SUCCESS; } @Override public void validate(){ if(isEmpty(getName())){ addActionError("Name can't be empty"); } if(isEmpty(getAddress())){ addActionError("Address can't be empty"); } } //java bean variables private String name; private String address; private Date updateTime; public String getName() { return name; } public void setName(String name) { this.name = name; } public String getAddress() { return address; } public void setAddress(String address) { this.address = address; } public Date getUpdateTime() { return updateTime; } public void setUpdateTime(Date updateTime) { this.updateTime = updateTime; } private boolean isEmpty(String str) { return str == null ? true:(str.equals("") ? true:false); }}
A simple action class with basic form fields validation and some java bean properties. Notice that update time is set by action class, it has been added to show the application behavior when we use tokenSession interceptor.
Struts2令牌拦截器示例JSP页面 (Struts2 Token Interceptor Example JSP Pages)
update.jsp
update.jsp
<%@ page language="java" contentType="text/html; charset=US-ASCII" pageEncoding="US-ASCII"%><%@ taglib uri="/struts-tags" prefix="s" %> Update User Request Page<%-- add token to JSP to be used by Token interceptor --%>
The entry point of the application from where user will submit form to update some information. We are using actionerror tag to show any validation errors added by the application. The most important point to note is s:token tag that will be used by token interceptors in making sure duplicate requests are not getting processed.
User information is not updated, duplicate request detected.
Possible Reasons are:
Back button usage to submit form again
Double click on Submit button
Using "Reload" Option in browser
Simple showing different methods that can cause multiple form submissions, notice the usage.
简单的显示了可能导致提交多个表单的不同方法,请注意用法。
Now when we will run our application, we will see following pages as response in the same order.
现在,当我们运行应用程序时,我们将以相同的顺序看到以下页面作为响应。
If you will look into the source of input page, you will see that Struts2 API has converted token tag to following HTML snippet.
如果您查看输入页面的源,您将看到Struts2 API已将令牌标记转换为以下HTML代码段。
Also you will notice following logs snippet.
您还会注意到以下日志片段。
Update Request Arrived to Action ClassWARNING: Form token HGWQI7ZGP7KFGJLDPNTSFHLUX5RF26IK does not match the session token null.
Notice that duplicate request doesn’t even reach to action class and token interceptor returns the invalid.token page as response.
请注意,重复请求甚至没有到达动作类,并且令牌拦截器返回invalid.token页面作为响应。
If you will use tokenSession interceptor, you will notice that it returns the same response as the first request. You can confirm this by going back and edit form fields and then submitting form again. The response update time and field values will be old values as sent in the first request.
Now let’s see how token interceptor works to handle multiple form submissions.
现在,让我们看看令牌拦截器如何处理多种表单提交。
When a request is made to the update action, Struts2 tags API generates a unique token and set it to the session. The same token is sent in the HTML response as hidden field. 当请求更新操作时,Struts2标签API会生成一个唯一令牌并将其设置为会话。 在HTML响应中将相同的令牌作为隐藏字段发送。
When the form is submitted with token, it is intercepted by token interceptor where it tries to fetch the token from the session and validate that it’s same as the token received in the request form. If token is found in session and validated then the request is forwarded to the next interceptor in the chain. Token interceptor also removes the token from the session. 当表单与令牌一起提交时,它会被令牌拦截器拦截,在此尝试从会话中获取令牌并验证其是否与请求表单中接收的令牌相同。 如果在会话中找到令牌并对其进行了验证,则该请求将转发到链中的下一个拦截器。 令牌拦截器还会从会话中删除令牌。
When the same form is submitted again, token interceptor will not find it in the session. So it will add an action error message and return invalid.token result as response. You can see this message in above image for invalid_token.jsp response. This way token interceptor make sure that a form with token is processed only once by the action. 当再次提交相同的表单时,令牌拦截器将在会话中找不到它。 因此,它将添加操作错误消息并返回invalid.token结果作为响应。 您可以在上图中看到此消息,以获取invalid_token.jsp响应。 这样,令牌拦截器可确保带有令牌的表单仅被该操作处理一次。
If we use tokenSession interceptor, rather than returning invalid token response, it tries to return the same response as the returned by the first action with same token. This implementation is done in the TokenSessionStoreInterceptor class that saves the response for each token in the session. 如果我们使用tokenSession拦截器,而不是返回无效的令牌响应,它将尝试返回与第一个具有相同令牌的操作所返回的响应相同的响应。 此实现是在TokenSessionStoreInterceptor类中完成的,该类保存会话中每个令牌的响应。
We can override the action error message sent by token interceptor through i18n support with key as “struts.messages.invalid.token”. 我们可以使用i18n支持覆盖令牌拦截器通过i18n支持发送的操作错误消息,密钥为“ struts.messages.invalid.token”。
Thats all for the usage of Struts2 token interceptor to handle multiple form submission problem in web application. Download the application from below link and play around with it for better understanding.