Handling Duplicate Form Submissions in Struts - Using Token in Struts

Using Token in Struts

Introduction

Using the various token methods provided by the base Struts Action class allows us to easily avoid the problem of allowing double submissions of forms or simply refreshing the page after a post has been made. This source code for this application is the same source code of the Struts CRUD with just a few modifications.

Requirements

This application requires an application server that implements the Servlet 2.4 and JavaServer Pages 2.0 specifications. The examples should all work on Tomcat 5.x (Discussed in next section). Please do not e-mail about getting your application to run on a server other than Tomcat. The source code (and an Ant build file) is provided for all the lessons so you should be able to build a war from the source and run it on you application server of choice.

Using the Token methods

The methods we care about are:

• saveToken(HttpServletRequest req)
• isTokenValid(HttpServletRequest req)
• resetToken(HttpServletRequest req)

The basic concept I like to follow for implementing tokens:

1. Always provide a setupForInsertOrUpdate dispatch method or indvidual Action. You could also break it up into setupForInsert and setupForUpdate if you so desire. Regardless, make sure you always go through this Action method before you go to your form.
2. In your setup method make sure to call "saveToken(request)." This puts a unique key into Session scope and will cause this token to be placed on your resulting JSP.
3. In your Action's update/insert dispatch method or your Action's execute method, make sure to first check if "isTokenValid(request)." This compares the token in Session with the one submitted through the Request. If they match, the token is valid and it's ok to procede with the update/insert. If they do not match, the user is likely simply resubmitting a stale page so we return from our action immediately.
4. We need to remember before we leave our update/insert method that we call "resetToken(request)" so that we place a new token into Session scope, otherwise the old token will remain and it will match the one on the form and will allow duplicate submisssions.

Example

The following code sections from the source you can download, demonstrates the above.

public ActionForward setUpForInsertOrUpdate(ActionMapping mapping,
ActionForm form, HttpServletRequest request, HttpServletResponse response)
throws Exception {
    logger.debug("setUpForInsertOrUpdate");
    saveToken(request);
    EmployeeForm employeeForm = (EmployeeForm)form;
    if (isUpdate(request, employeeForm)) {
        Integer id = Integer.valueOf(employeeForm.getEmployeeId());
        Employee employee = empService.getEmployee(id);
        BeanUtils.copyProperties(employeeForm, employee);
    }
    prep(request);
    return mapping.findForward(Constants.SUCCESS);
}

    public ActionForward insertOrUpdate(ActionMapping mapping,
    ActionForm form, HttpServletRequest request, HttpServletResponse response)
    throws Exception {
    logger.debug("insertOrUpdate");
    EmployeeForm employeeForm = (EmployeeForm)form;
    if ( !isTokenValid(request) ) {
        return mapping.findForward(Constants.INVALID_TOKEN);
    }
    if (validationSuccessful(request, employeeForm)) {
        Employee employee = new Employee();
        BeanUtils.copyProperties(employee, employeeForm);
        if (isUpdate(request, employeeForm)) {
            logger.debug("update");
            empService.updateEmployee(employee);
        } else {
            logger.debug("insert" );
            empService.insertEmployee(employee);
        }
        populateEmployees(request);
        resetToken(request);
        return mapping.findForward(Constants.SUCCESS);
    } else {
        prep(request);
        return mapping.findForward(Constants.FAILURE);
    }
}

Usage

After installing the app, either by deploying the war or building from the source yourself, run the application and click on the "Add Employee" link. After you add the employee you'll be brought to the list of employees and you should see the employee you entered. Now use your browser's back button to go back to the form. You should still see your data entered on the form. Hit submit and you'll see how the token helps. You can also test out the use of the token by 'refreshing' the page after you do an insert and you are brought to the employees screen. You'll probably get prompted to 'repost' - click yes.

Other ideas

There are other things you can also do besides just using the token that often help for preventing resubmits of data. You can mark form pages as non-cachable with a "no-cache, no-store" cache-control header. You can also make sure to do redirects after you submit instead of forwarding to a results page. 

Handling Multiple Submits

Handling Multiple Submits

Listing 2 was certainly an improvement, but we've still got a ways to go. A number of issues still could go wrong. What if the user pushes the back button and starts over? What if his browser has JavaScript disabled or the browser cannot handle the processing? We can still solve the problem, but instead of preventing multiple submits, we need to handle them on the back end, via the form-processing servlet.

In order to understand how to solve the multiple submit problem, we must first understand how servlets work with respect to sessions. As everyone knows, HTTP is inherently a stateless protocol. In order to handle state, we need some way for the browser to associate the current request with a larger block of requests. The servlet session provides us a solution to this problem. The HttpServlet methods doGet() and doPost() use two specific parameters: HttpServletRequest and HttpServletResponse. The servlet request parameter allows us to access what is commonly referred to as the servlet session. Servlet sessions have mechanisms for accessing and storing state information.
What exactly is a servlet session? A servlet session is a number of things, including:

• A set of state managed by the web server and represented by a specific identifier shared by all requests for a given client.
• A place to store state data, defined, at least for HttpServlets, via the HttpSession interface.

Before we look at how to solve our problem with a server-side solution, we need to understand the servlet session lifecycle. As with EJBs and other server side entities, servlet sessions go through a defined set of states during their lifetime. The figure below shows the lifecycle of a servlet session. Servlets move through three distinct states: does not exist, new, and not new or in-use.
Figure 3: Servlet session lifecycle

1. Initially, a servlet session does not exist. A session starts here or returns to this state for a number of reasons. Most likely, the user has never accessed the state before or the session was invalidated because the user left the site (timed out) or explicitly left (logged out).
2. Sessions move from does not exist to new when the session is first created. The distinction between new and not new is important because of the fact the HTTP is stateless. According to the servlet specification, sessions cannot move to not new (from being a prospective session to an actual session) until the client returns the session to the server. Thus a session is new because the client does not yet know about it or the client decides not to join the session.
3. When the session is returned to the server via a cookie or URL re-writing (more on that in a moment), then the session becomes in use or not new.
4. Continued use of the session, via its various get and set methods, result in the session remaining in use.
5. Transitions 5 and 6 happen when a session times out due to inactivity or a session is explictly invalidated. Application servers handle timeouts in a variety of ways. BEA WebLogic Server allows the application deployer the ability to set the session timeout via a special deployment descriptor (weblogic.xml) packaged with the web application.

NOTE: Careful use of getSession(true) At first glance it appears that we should always use getSession(true). However, you should be careful in that a denial-of-service attack can be allowed by always creating new sessions on demand. An unscrupulous user could discover your site was creating sessions and flood it with new session requests. By using getSession(false) and then redirecting to a login page when a session is not detected, you can protect against such an attack. In addition, there are many other interesting methods on HttpSession objects, such as isNew(), getAttribute(), setAttribute(), etc. The interested reader is pointed to the servlet specification for an exhaustive review.

Now that we understand the lifecycle of a session, how do we go about obtaining a session and using it to our advantage? The HttpServletRequest interface provides two methods for working with sessions:

• public HttpSession getSession() always returns either a new session or an existing session.
  getSession() returns an existing session if a valid session ID was somehow provided (perhaps via a cookie). It returns a new session in several cases: the client's initial session (no session ID provided), a timed-out session (session ID provided), an invalid session (session ID provided), or an explictly invalidated session (session ID provided).
• public HttpSession getSession(boolean) may return a new session, an existing session, or null.
  getSession(true) returns an existing session if possible. Otherwise it creates a new session. getSession(false) returns an existing session if possible and otherwise returns null.
  

We have still only solved half of the problem at hand. We'd like to be able to skip over the "session new" state and move to the "session in use" state automatically. We can achieve this by redirecting the browser to the handling servlet automatically. Listing 3 combines servlet session logic with the ability to redirect clients with valid sessions to the handling servlet.
Listing 3: RedirectServlet.java

01: package multiplesubmits;
02:
03: import java.io.*;
04: import java.util.Date;
05: import javax.servlet.*;
06: import javax.servlet.http.*;
07:
08: public class RedirectServlet extends HttpServlet{
09:  public void doGet (HttpServletRequest req, HttpServletResponse res)
10:   throws ServletException, IOException {
11:   HttpSession session = req.getSession(false);
12:   System.out.println("");
13:   System.out.println("-------------------------------------");
14:   System.out.println("SessionServlet::doGet");
15:   System.out.println("Session requested ID in Request:" +
16:   req.getRequestedSessionId());
17:   if ( null == req.getRequestedSessionId() ) {
18:    System.out.println("No session ID, first call,
        creating new session and forwarding");
19:    session = req.getSession(true);
20:    System.out.println("Generated session ID  in Request: " +
21:     session.getId());
22:    String encodedURL = res.encodeURL("/RedirectServlet");
23:    System.out.println("res.encodeURL(\"/RedirectServlet\");="
        +encodedURL);
24:    res.sendRedirect(encodedURL);
25: //

26:    // RequestDispatcher rd = getServletContext().getRequestDispatcher(encodedURL);
27:    // rd.forward(req,res);

28: //
29:    return;
30:   }
31:   else {
32:    System.out.println("Session id = " +
     req.getRequestedSessionId() );
33:     System.out.println("No redirect required");
34:   }
35:
36:   HandleRequest(req,res);
37:   System.out.println("SessionServlet::doGet returning");
38:   System.out.println("------------------------------------");
39:   return;
40:  }
41:
42:  void HandleRequest(HttpServletRequest req, HttpServletResponse res)
43:  throws IOException {
44:   System.out.println("SessionServlet::HandleRequest  called");
45:   res.setContentType("text/html");
46:   PrintWriter out = res.getWriter();
47:   Date date = new Date();
48:   out.println("<html>");
49:   out.println("<head><title>Ticket Confirmation</title></head>");
50:   out.println("<body>");
51:   out.println("<h1>The Current Date And Time  Is:</h1><br>");
52:   out.println("<h3>" + date.toString()  + "</h3>");
53:   out.println("</body>");
54:   out.println("</html>");
55:   System.out.println("SessionServlet::HandleRequest returning");
56:   return;
57:  }
58: }

Just how does this solve our problem? Examining the code closely shows that on line 11 we try to obtain a session handle. On line 17 we identify that an active session exists by checking the session ID for null, or by checking for a valid session ID. Either method suffices. Lines 18-29 are executed if no session exists. We handle the multiple submit problem by first creating a session as shown on line 19, using URL encoding to add the new session ID as shown on line 22, and then redirecting our servlet to the newly encoded URL, as shown on line 24.

NOTE: forward Vs. sendRedirect Lines 26 & 27, while commented out, are shown as an example of something not to do. On first glance, forward seems to be a better solution to our problem because it does not cause a round trip to the browser and back. However, forward comes at a price; the new session ID is not attached to the URL. Using forward would cause the servlet to be called over and over in a loop, ultimately killing the application server.

Readers unfamiliar with URL rewriting are directed to lines 15 and 23. An HttpServlet object has the ability to rewrite a URL. This process inserts a session ID into a URL. The underlying application server can then use the encoded URL to provide an existing session automatically to a servlet or JSP. Depending on the application server, you may need to enable URL rewriting for the above example to work!

Conclusion

In this article, we discussed several solutions to the multiple submit problem. Each solution has its positive and negative aspects. When solving problems, the various pros and cons of a solution must be clearly understood to assess the value of each tradeoff. Our final example had the benefit of solving the problem at hand at the cost of an extra client round trip. The JavaScript solution was the most elegant, but required client support to work. As with any problem, there are often a world of solutions, each one with its own trade-offs. By understanding the trade-offs of a given solution, we can make the most informed choice for a given problem.