How to avoid Duplicate Page Submission in struts 1.3

Duplicate form submissions can occur in many ways
->When press Refresh button
->When press submit button more than once
->Use browser back button to traverse back and resubmit the form
->Using Browser history and resubmit form.
->A malicious user may provide a link to the User which points to the same web page (For eg. UserAdd Page) whose content is crafted for the purpose to add his own user. When User clicks on the crafted page, the one more user will be added automatically.

Steps to solve Duplicate Submission:

1) Generate a Unique Random Value (Token) before loading the page.
2) Store the Random Value in Session and pass the same to JSP Page as hidden parameter.
3) When the user submits the page, in the process method, check wheather the random value stored in the Session is available or not. If it is there and both (token stored in the session and the hidden parameter) are same, then proceed for submission (ie. this is the first submission). Then reset the random value in the session. If both are not same, then proceed to an error page which displays the message Duplicate submission. (After submiting the page, random value is reset in session, but still jsp will have the random value. so when you refresh the page, random value in the jsp and value in the session will not be same. now the duplicate page is called).

Now Let us see the struts code for the above steps : In struts predefined methods are available to do the above job. In struts, it has predefined methods  like saveToken(request), isTokenValid(request,true), resetToken(request). saveToken(request) generates random value (token), stores the Random Value in Session and pass the same to JSP Page as hidden parameter. It should be called in Loading page.

In our example,we are using dispatch action. It has two methods for loading (loadEmpDetails) and processing (ProcessEmpDetails) employee page.

In the processing page, the following lines will be added

if (isTokenValid(request,true)==false) // to check the random value in the session and jsp
{
strTarget = "duplicate";
forward = mapping.findForward(strTarget);
return (forward);
}
else
{
resetToken(request);
..
..
..
} 

loadEmpDetails

public class EmpAction extends DispatchAction {

//Loading Method : 

 public ActionForward loadEmpDetails(ActionMapping mapping,ActionForm form,HttpServletRequest request, HttpServletResponse response)  throws Exception {

  ActionErrors errors = new ActionErrors();
  ActionForward forward = new ActionForward();
  EmpForm empForm = (EmpForm) form;
  String target;
  ArrayList desigList=new ArrayList();

    try {
     saveToken(request); 

    EmpDAO  empDao = new EmpDAO();
    desigList = empDao.loadDesigList();
    ...
    ....
    target = "employee";

    } catch (Exception e) {
     errors.add("name", new ActionError("error.dup"));
     target = "error";
    }
    if (!errors.isEmpty()) {
     saveErrors(request, errors);
     target = "error";
    } else {
     target = "employee";
    }

    forward = mapping.findForward(target);
   return (forward);

   }

ProcessEmpDetails

................................

 public ActionForward ProcessEmpDetails( ActionMapping mapping, ActionForm form, HttpServletRequest request,  HttpServletResponse response)  throws Exception {

   ActionErrors errors = new ActionErrors();
   ActionForward forward = new ActionForward();
   String target="acknowledgementEmp";

   try {

   if (isTokenValid(request,true)==false)
      {
    target = "duplicate";
    forward = mapping.findForward(target);
    return (forward);
      } 

      resetToken(request); 

   EmpForm empForm = (EmpForm) form;
   ....
   ....
   .....

   } catch (Exception e) {
	   errors.add("name", new ActionError("error.dup"));
	   target = "error";
   }
   if (!errors.isEmpty()) {
         saveErrors(request, errors);
        target = "error";
          } else {
    target = "acknowledgementEmp";
    }

    forward = mapping.findForward(target);
   return (forward);

   }

   } 

In Struts-config.xml

 <action-mappings>
  <action name="empForm" path="/employee" type="test.javaonline.actions.EmpAction" parameter="method">
  <forward name="employee" path="/Employee.jsp"></forward>
  <forward name="acknowledgementEmp" path="/AcknowledgeEmp.jsp"></forward>
  <forward name="duplicate" path="/Duplicate.jsp"></forward>
  </action>
 </action-mappings> 

For loading the Employee JSP : http://localhost:8080/javaonline/employee.do?method=loadEmpDetails

Sample Token generated and passed to JSP page may look like : org.apache.struts.taglib.html.TOKEN=3440cfc4fd1779353a853dfba07ef3cc

Please design Employee.page, duplicate.jsp , AcknowledgeEmp.jsp , error.jsp (Global)

You may also like

Leave a Reply