Interface XsrfTokenService
-
- All Known Implementing Classes:
DefaultXsrfTokenService
public interface XsrfTokenService
To be used in scenarios where theXsrfTokenInterceptor
can not be applied.The above mentioned
XsrfTokenInterceptor
, configured in thedefault
stack, is the preferred method for securing XWork controllers (actions) against XSRF abuse.This service should be used for the following scenarios instead:
- Servlets, as they have no notion of XWork
- Controllers handling
Content-Type: multipart/form-data
, as the underlyingMultiPartRequestWrapper
decoding the parts may escape on construction due to e.g. exceeding the maximum file size. Since the token will be encoded in a part, the token check would fail thus hiding the root cause.
- Since:
- 5.1.4
-
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Deprecated Methods Modifier and Type Method Description com.atlassian.fugue.Pair<String,String>
generate(javax.servlet.http.HttpServletRequest request)
Deprecated.since 7.0.1.default io.atlassian.fugue.Pair<String,String>
generateToken(javax.servlet.http.HttpServletRequest request)
Generate and bind a token pair to the session.com.atlassian.fugue.Maybe<Message>
validate(javax.servlet.http.HttpServletRequest request)
Deprecated.since 7.0.1.default Optional<Message>
validateToken(javax.servlet.http.HttpServletRequest request)
Validate if the given request contains the token bound to the request's session.
-
-
-
Method Detail
-
generate
@Deprecated com.atlassian.fugue.Pair<String,String> generate(javax.servlet.http.HttpServletRequest request)
Deprecated.since 7.0.1. UsegenerateToken(HttpServletRequest)
Generate and bind a token pair to the session.- Parameters:
request
- the request used to identify the session, will be created if none is present- Returns:
- a token pair to be used for the modifying request, containing the parameter key in the left part and the token value in the right part
-
generateToken
default io.atlassian.fugue.Pair<String,String> generateToken(javax.servlet.http.HttpServletRequest request)
Generate and bind a token pair to the session.- Parameters:
request
- the request used to identify the session, will be created if none is present- Returns:
- a token pair to be used for the modifying request, containing the parameter key in the left part and the token value in the right part
- Since:
- 7.0.1
-
validate
@Deprecated com.atlassian.fugue.Maybe<Message> validate(javax.servlet.http.HttpServletRequest request)
Deprecated.since 7.0.1. UsevalidateToken(HttpServletRequest)
Validate if the given request contains the token bound to the request's session.- Parameters:
request
- the request used to identify the session and containing the token parameter- Returns:
- maybe error messages, thus
Maybe.isEmpty()
indicates a successful flow
-
validateToken
default Optional<Message> validateToken(javax.servlet.http.HttpServletRequest request)
Validate if the given request contains the token bound to the request's session.- Parameters:
request
- the request used to identify the session and containing the token parameter- Returns:
- maybe error messages, thus
!Optional.isPresent()
indicates a successful flow - Since:
- 7.0.1
-
-