TokenTag xref

View Javadoc

1   /*
2    * Copyright 2004-2010 the Seasar Foundation and the Others.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
13   * either express or implied. See the License for the specific language
14   * governing permissions and limitations under the License.
15   */
16  
17  package org.seasar.cubby.tags;
18  
19  import static org.seasar.cubby.tags.TagUtils.toAttr;
20  
21  import java.io.IOException;
22  
23  import javax.servlet.http.HttpServletRequest;
24  import javax.servlet.http.HttpSession;
25  import javax.servlet.jsp.JspException;
26  import javax.servlet.jsp.JspWriter;
27  import javax.servlet.jsp.PageContext;
28  
29  import org.seasar.cubby.internal.util.StringUtils;
30  import org.seasar.cubby.internal.util.TokenHelper;
31  import org.seasar.cubby.validator.validators.TokenValidator;
32  
33  /**
34   * 2重サブミット防止用の <code>&lt;input type="hidden"/&gt;</code> タグを出力するタグ。
35   * <p>
36   * このタグが呼び出されると一意なトークン文字列を生成して hidden とセッションに格納します。 サブミットされた先の処理の検証フェーズで、ポストされた
37   * hidden 値とセッション中の値を比較して、 一致しない場合、不正な経路からのアクセスとみなしてエラー処理を行います。
38   * </p>
39   * 
40   * @see TokenValidator#validate(org.seasar.cubby.validator.ValidationContext,
41   *      Object[])
42   * @author agata
43   */
44  public class TokenTag extends DynamicAttributesSimpleTagSupport {
45  
46  	private String name;
47  
48  	/**
49  	 * name属性を設定します。
50  	 * 
51  	 * @param name
52  	 *            name属性
53  	 */
54  	public void setName(final String name) {
55  		this.name = name;
56  	}
57  
58  	/**
59  	 * {@inheritDoc}
60  	 */
61  	@Override
62  	public void doTag() throws JspException, IOException {
63  		final PageContext context = (PageContext) getJspContext();
64  		final JspWriter out = context.getOut();
65  
66  		final String token = TokenHelper.generateGUID();
67  		final PageContext pageContext = (PageContext) getJspContext();
68  		final HttpServletRequest request = (HttpServletRequest) pageContext
69  				.getRequest();
70  		final HttpSession session = request.getSession();
71  		TokenHelper.setToken(session, token);
72  
73  		out.append("<input type=\"hidden\" name=\"");
74  		if (StringUtils.isEmpty(name)) {
75  			out.append(TokenHelper.DEFAULT_TOKEN_NAME);
76  		} else {
77  			out.append(name);
78  		}
79  		out.append("\" value=\"");
80  		out.append(token);
81  		out.append("\" ");
82  		out.write(toAttr(getDynamicAttributes()));
83  		out.append("/>");
84  	}
85  
86  }