Originally posted by Nicholas Cheung:
Does the session token mechanism implemented and applied automatically? Do I need to set anything in the configuration file (like validation), or it really did all things in auto?
No, it doesn't get applied automatically. You need to call Action#saveToken(HttpServletRequest) in your Action class to mark the start of a "transaction" you want to be submitted only once. Then, when you're ready to submit the transaction, call Action#isTokenValid(HttpServletRequest, boolean) to determine whether the transaction token is still valid (if it isn't, you know that the transaction has been processed once already).
Disclaimer: I have only written some practice code using this technique so I'm not sure how well it suits real-world situations.