fc.web.servlet
Class TransactionToken

java.lang.Object
  extended by fc.web.servlet.TransactionToken

public class TransactionToken
extends Object

Modified version of CommandToken class from the book:

Web dev. with JSP by fields, kolb and bayern
Uses JDBCSession to store data.

Essentially, a token prevents repeating a page action upon back-button, reload, etc of a page. (for example, reprocessing an order if an order page was reloaded). This is done by setting a transaction token as a hidden field in the page we want to protect and also setting the same token in the user session. (This setting is done by other pages/servlets that send the use to the protected page, for example, from an earlier html page). When the protected order page is submitted, the order processing code checks to see if the session-token and the submitted form-token match. If so, the order is run and the session-token deleted.

The next time the protected page is reloaded and submitted, the session-token is missing on the server, hence the submitted form (which still has the earlier token) and session token will not match and hence the order is not rerun.

Thread safety: Methods in this class are not thread safe and should be called via higher level synchronization (typically on the session object for a given user);


Field Summary
static String TransactionToken_Key
          The token is stored in the session with this key
 
Constructor Summary
TransactionToken()
           
 
Method Summary
static void create(Connection con, String sessionID)
          Creates a new transactional token.
static boolean isValid(Connection con, String sessionID, javax.servlet.http.HttpServletRequest req)
          Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a corresponding token in the session.
static void main(String[] args)
           
static void revoke(Connection con, String sessionID)
          Revokes the transactionID (if any) from the session data
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

TransactionToken_Key

public static final String TransactionToken_Key
The token is stored in the session with this key

See Also:
Constant Field Values
Constructor Detail

TransactionToken

public TransactionToken()
Method Detail

create

public static void create(Connection con,
                          String sessionID)
                   throws SQLException
Creates a new transactional token. Tokens are unique per session. Calling this method more than once will replace a prior token in (if any) in the session.

Parameters:
con - connection to database used by JDBCSession
sessionID - the sessionID of the client
Throws:
IllegalStateException - if the specified sessionID is expired/not valid
SQLException

revoke

public static void revoke(Connection con,
                          String sessionID)
                   throws SQLException
Revokes the transactionID (if any) from the session data

Parameters:
session - the JDBC session to save the token to
sessionID - the sessionID of the client
Throws:
SQLException

isValid

public static boolean isValid(Connection con,
                              String sessionID,
                              javax.servlet.http.HttpServletRequest req)
                       throws SQLException
Searches for a token in the request (under the parameter name TransactionToken_Key and tries to match it with a corresponding token in the session. Returns true if the tokens match (and hence the token is valid), false otherwise.

Throws:
SQLException

main

public static void main(String[] args)
                 throws Exception
Throws:
Exception