Struts2 Token Interceptor Example

Struts 2 token interceptor can be used to handle multiple form submission problem. While designing web application, sometimes we have to make sure that double form submission is treated as duplicate request and not be processed. For example, if user reloads the online payment form and there are not enough checks in place to identify it as duplicate request, customer will be charged twice.

Double form submission problem handling needs to be done both at client side and server side. In client side, we can disable the submit button, disable back button but there will always be options through which user can send the form data again. Struts2 provides token interceptors that are designed to deal with this particular problem.

Struts2 Token Interceptor

There are two interceptors defined in struts-default package as:

These interceptors are not part of any predefined interceptor stack because if we add it for any action, the form submitted should have a token parameter else it will throw exception. We will look it’s usage with a simple project. Final project structure will look like below image.


Struts2 Token Interceptor Example Configuration Files


Deployment descriptor is configured to use Struts 2 framework.


The web application is configured as maven project where we have added struts2-core dependency.


  1. We can use either token interceptor or tokenSession interceptor with any action.
  2. If token interceptor identifies the request as duplicate, then it returns the result invalid.token, that’s why we have a result configured for this.
  3. If form field validation fails then input result is returned where we are returning the same page from where we get the request.

We will look into the complete flow once we have seen the implementation and application behavior with duplicate request.

Struts2 Token Interceptor Example Action Class

A simple action class with basic form fields validation and some java bean properties. Notice that update time is set by action class, it has been added to show the application behavior when we use tokenSession interceptor.

Struts2 Token Interceptor Example JSP Pages


The entry point of the application from where user will submit form to update some information. We are using actionerror tag to show any validation errors added by the application. The most important point to note is s:token tag that will be used by token interceptors in making sure duplicate requests are not getting processed.


Simple JSP page showing action class java bean properties.


Simple JSP page showing different methods that can cause multiple form submissions, notice the actionerror tag usage.

Now when we will run our application, we will see following pages as response in the same order.


If you will look into the source of input page, you will see that Struts2 API has converted token tag to following HTML snippet.

Also you will notice following logs snippet.

Notice that duplicate request doesn’t even reach to action class and token interceptor returns the invalid.token page as response.

If you will use tokenSession interceptor, you will notice that it returns the same response as the first request. You can confirm this by going back and edit form fields and then submitting form again. The response update time and field values will be old values as sent in the first request.

How Struts2 Token Interceptor Works

Now let’s see how token interceptor works to handle multiple form submissions.

  1. When a request is made to the update action, Struts2 tags API generates a unique token and set it to the session. The same token is sent in the HTML response as hidden field.
  2. When the form is submitted with token, it is intercepted by token interceptor where it tries to fetch the token from the session and validate that it’s same as the token received in the request form. If token is found in session and validated then the request is forwarded to the next interceptor in the chain. Token interceptor also removes the token from the session.
  3. When the same form is submitted again, token interceptor will not find it in the session. So it will add an action error message and return invalid.token result as response. You can see this message in above image for invalid_token.jsp response. This way token interceptor make sure that a form with token is processed only once by the action.
  4. If we use tokenSession interceptor, rather than returning invalid token response, it tries to return the same response as the returned by the first action with same token. This implementation is done in the TokenSessionStoreInterceptor class that saves the response for each token in the session.
  5. We can override the action error message sent by token interceptor through i18n support with key as “struts.messages.invalid.token”.

Thats all for the usage of Struts2 token interceptor to handle multiple form submission problem in web application. Download the application from below link and play around with it for better understanding.

By admin

Leave a Reply

%d bloggers like this: