View Javadoc

1   /*
2    * Copyright 2004-2008 the Seasar Foundation and the Others.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
13   * either express or implied. See the License for the specific language
14   * governing permissions and limitations under the License.
15   */
16  package org.seasar.cubby.tags;
17  
18  import static org.seasar.cubby.tags.TagUtils.toAttr;
19  
20  import java.io.IOException;
21  
22  import javax.servlet.http.HttpServletRequest;
23  import javax.servlet.http.HttpSession;
24  import javax.servlet.jsp.JspException;
25  import javax.servlet.jsp.JspWriter;
26  import javax.servlet.jsp.PageContext;
27  
28  import org.seasar.cubby.controller.ThreadContext;
29  import org.seasar.cubby.util.TokenHelper;
30  import org.seasar.cubby.validator.validators.TokenValidator;
31  import org.seasar.framework.message.MessageFormatter;
32  import org.seasar.framework.util.StringUtil;
33  
34  /**
35   * 2重サブミット防止用の<input type="hidden"/>を出力するタグ。
36   * <p>
37   * このタグが呼び出されると一意なトークン文字列を生成してhiddenとセッションに格納します。
38   * サブミットされた先の処理の検証フェーズで、ポストされたhidden値とセッション中の値を比較して、
39   * 一致しない場合、不正な経路からのアクセスとみなしてエラー処理を行います。
40   * </p>
41   * 
42   * @see TokenValidator#validate(org.seasar.cubby.validator.ValidationContext,
43   *      Object[])
44   * @author agata
45   * @since 1.0.0
46   */
47  public class TokenTag extends DynamicAttributesTagSupport {
48  
49  	private String name;
50  
51  	/**
52  	 * name属性を設定します。
53  	 * 
54  	 * @param name
55  	 *            name属性
56  	 */
57  	public void setName(final String name) {
58  		this.name = name;
59  	}
60  
61  	/**
62  	 * {@inheritDoc}
63  	 */
64  	@Override
65  	public void doTag() throws JspException, IOException {
66  		final PageContext context = (PageContext) getJspContext();
67  		final JspWriter out = context.getOut();
68  
69  		final String token = TokenHelper.generateGUID();
70  		out.append("<input type=\"hidden\" name=\"");
71  		if (StringUtil.isEmpty(name)) {
72  			out.append(TokenHelper.DEFAULT_TOKEN_NAME);
73  		} else {
74  			out.append(name);
75  		}
76  		out.append("\" value=\"");
77  		out.append(token);
78  		out.append("\" ");
79  		out.write(toAttr(getDynamicAttribute()));
80  		out.append("/>");
81  		final HttpServletRequest request = ThreadContext.getRequest();
82  		if (request == null) {
83  			throw new IllegalStateException(MessageFormatter.getMessage("ECUB0401", null));
84  		}
85  		final HttpSession session = request.getSession();
86  		TokenHelper.setToken(session, token);
87  	}
88  }