com.atlassian.confluence.security.service

Interface XsrfTokenService

All Known Implementing Classes:

DefaultXsrfTokenService

public interface XsrfTokenService

To be used in scenarios where the XsrfTokenInterceptor can not be applied.

The above mentioned XsrfTokenInterceptor, configured in the default stack, is the preferred method for securing XWork controllers (actions) against XSRF abuse.

This service should be used for the following scenarios instead:

• Servlets, as they have no notion of XWork
• Controllers handling Content-Type: multipart/form-data, as the underlying MultiPartRequestWrapper decoding the parts may escape on construction due to e.g. exceeding the maximum file size. Since the token will be encoded in a part, the token check would fail thus hiding the root cause.

Since:

5.1.4

Method Summary

Modifier and Type	Method and Description
com.atlassian.fugue.Pair<String,String>	generate(javax.servlet.http.HttpServletRequest request) Generate and bind a token pair to the session.
com.atlassian.fugue.Maybe<Message>	validate(javax.servlet.http.HttpServletRequest request) Validate if the given request contains the token bound to the request's session.

Method Detail

generate

com.atlassian.fugue.Pair<String,String> generate(javax.servlet.http.HttpServletRequest request)

Generate and bind a token pair to the session.

Parameters:

request - the request used to identify the session, will be created if none is present

Returns:

a token pair to be used for the modifying request, containing the parameter key in the left part and the token value in the right part

validate

com.atlassian.fugue.Maybe<Message> validate(javax.servlet.http.HttpServletRequest request)

Validate if the given request contains the token bound to the request's session.

Parameters:

request - the request used to identify the session and containing the token parameter

Returns:

maybe error messages, thus Maybe.isEmpty() indicates a successful flow