The filter solution does use a unique token on the form and you can disable the filter by not including the token on a form. I did have to add logic to the posted solution to handle errors but even with that code included the code seems to be non-invasive -- all it does is check for form variable and continues normal processing or blocks duplicate requests while "caching" the response (sounds more complicated than it is)
i do see what you mean about the security concern and someone being able to manipulate a post to get past the filter, trying to think of solutions to this problem maybe something where the form included a secure key in a hidden variable and having some sort of check which could determine if a key had been used already if form is secure -- check for valid and unique key -- if key is valid then process the form and expire the key -- don't let another request pass through after key is expired or absent above solution does require the ability to mark certain forms as secure on the server side. with security in place i think the filter solution could be a complete server side solution. I know you mentioned possible side effects did you have anything specific in mind? Bottom line is that there should be a server side solution to this problem in tapestry that is secure and non-invasive. I encourage others to post their ideas in an effort to come to some sort of agreement on best way to accomplish this. -john On 11/15/06, Sam Gendler <[EMAIL PROTECTED]> wrote:
That seems like a complex solution to the problem which does things in a filter, where it might be difficult to predict side effects or override the behaviour in certain circumstances. I'd be more inclined to implement a unique token solution in a base page class so that I could overload it in certain pages, if necessary. Simplest solution, but not entirely error proof, would be to stick a unique token in the form (I'm not use you can use a session persistent property in the page, as I don't know when those get written into the session - possibly only after the page is finished processing). Then, when processing any form, check the session location for a token, if it matches, just send back a page saying "don't do that." If it isn't found, assume that this is the first time you've seen the form and go ahead and process it. You can add increasing complexity to such a solution depending on what kind of user experience you want and how error-proof you want it. The filter trick is cute, since you can actually serve the same response to multiple requests, but that is often not necessary and sometimes not even desired and it takes too much logic out of the core application for my own comfort level. But disabling a button can be pretty effective against all but an actually malicious user (does anyone build javascript-free web apps these days, especially in tapestry?), and a malicious user can override a unique token all too easily, anyway. If there is a true security or data integrity concern, you'll have to do something that is entirely on the server side in order to prevent manipulation by someone with the smarts to interpret an html file and manually send a post. --sam On 11/15/06, John Menke <[EMAIL PROTECTED]> wrote: > Is there a non-javascript solution to this problem? I have been > experimenting with code based on the forum post below. Has anyone developed > a solution for Tapestry? I propose some sort of consensus should > be reached as to what the best method is to handle double submits and a > patch should be made for Tapestry. Any comments? Ideas? > > <quote from Forum Post> > There is a server-side solution for this problem. Here is the concept: > Build a way to identify each form from which a request (or multiple > requests, if the form button is clicked several times) arrives. This can be > done by having a hidden input element included in the form, whose value is a > unique number (typically using the time in milliseconds). > > Write a filter implementing the javax.servlet.Filter interface, with the > following logic in the doFilter() method: > Synchronize a code block on a session-scoped object. Inside this block, > check if the form-id received through the current request is same as the one > received previously. > If different, this is the first request received from the form (i.e. the > request originated as a result of the first click). If same, this is a > subsequent request, generated as a result of multiple clicks. > > In the first case, invoke FilterChain.doFilter() by passing a > ResponseWrapper object instead of the original response object. This > ResponseWrapper object should be built with a ByteArrayOutputStream object, > so that the response content can be extracted as a String. When the > FilterChain.doFilter() method returns, save the response content and the > current form-id in session-scope, for subsequent requests and leave the > synchronized block. > > Then outside the synchronized block, forward all the requests (including the > first one) to a "LoopBackServlet" with the original "request" and "response" > objects. The whole purpose of this "LoopBackServlet" is to write the saved > response content into the response object. > > In this way, when multiple requests arrive from the same form as a result of > multiple clicks, we let the first request thread proceed, with a > response-wrapper and block all the other threads. When the first thread > returns with the response ready, the response content is stored in session > and the same is written to all the blocked threads when they become > unblocked. > > If anybody wants more details, please email me at [EMAIL PROTECTED], I can > send the working code. > > > </quote from Forum Post> > > http://forum.java.sun.com/thread.jspa?threadID=665472&start=15&tstart=0 > > > > On 11/15/06, Denis McCarthy <[EMAIL PROTECTED]> wrote: > > > > I was looking for a sledgehammer to crack a nut. That's how I ended up > > doing it (after spending the day looking for an enterprisey solution!) > > Thanks > > Denis > > > > Jesse Kuhnert wrote: > > > Why don't you just disable the submit buttons in question when they > > submit? > > > (set the disabled attribute to true) > > > > > > On 11/15/06, Denis McCarthy <[EMAIL PROTECTED]> wrote: > > >> > > >> Hi, > > >> I'm encountering a problem in my app where users are double submitting > > a > > >> form, creating a hibernate exception in the back end where two > > >> sessions are attempting to update the same collection. I've read some > > >> posts about preventing form resubmission by using a unique token in the > > >> form to detect a double submit. > > >> > > >> If a double submit is detected, the second and subsequent submits wait > > >> until the original one returns and then report the outcome of that > > >> transaction (if I understand correctly, it's the last submit that > > issues > > >> the response to the user, and the first one does the updating). > > >> > > >> I'm wondering > > >> a) is this indeed the right approach to stop users who are > > >> over-enthusiastic in their button clicking from encountering errors, > > and > > >> b) does anyone have an actual example of code that implements this > > >> pattern? > > >> Thanks very much > > >> Denis Mc. > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
