Class DefaultXsrfTokenValidationManager
- java.lang.Object
-
- com.atlassian.confluence.impl.xsrf.impl.DefaultXsrfTokenValidationManager
-
- All Implemented Interfaces:
XsrfTokenValidationManager
public class DefaultXsrfTokenValidationManager extends Object implements XsrfTokenValidationManager
Validates the XSRF tokens for protected struts actions Used in NeoSecurityFilterConfiguring XSRF protection happens at the method level, and can be done either by adding a
XsrfProtectionExcludedorRequireSecurityTokenannotation to the method, or by adding a <param name="RequireSecurityToken">[true|false]</param> parameter to the action configuration instruts.xml.XsrfProtectionExcludedannotations override any other settings. Configuration in struts.xml will overrideRequireSecurityTokenannotations. Behaviour when a method is not configured at all depends on the return values ofSecurityLevelConfig.Requests containing the HTTP header
X-Atlassian-Token: no-checkwill bypass the check and always succeed.
-
-
Field Summary
Fields Modifier and Type Field Description static StringATL_TOKENstatic StringHTTP_ADD_ON_ID_ATTRIBUTE_NAMEstatic StringJWT_TOKEN_PARAMstatic StringNO_CHECK_HEADER_VALUEstatic StringREQUIRE_SECURITY_TOKENstatic StringSRC_MAIL_RECIPIENTstatic StringX_ATLASSIAN_TOKEN
-
Constructor Summary
Constructors Constructor Description DefaultXsrfTokenValidationManager(com.atlassian.xwork.XsrfTokenGenerator tokenGenerator)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanisRequestExempt(String actionName, javax.servlet.http.HttpServletRequest request)Check if XSRF token protection checks should be exempt for the given action and request.booleanisRequestValid(Class<?> actionClass, Method actionMethod, Map<String,String> actionParams, javax.servlet.http.HttpServletRequest request)Check if this request passes XSRF token checks.
-
-
-
Field Detail
-
SRC_MAIL_RECIPIENT
public static final String SRC_MAIL_RECIPIENT
- See Also:
- Constant Field Values
-
JWT_TOKEN_PARAM
public static final String JWT_TOKEN_PARAM
- See Also:
- Constant Field Values
-
HTTP_ADD_ON_ID_ATTRIBUTE_NAME
public static final String HTTP_ADD_ON_ID_ATTRIBUTE_NAME
- See Also:
- Constant Field Values
-
X_ATLASSIAN_TOKEN
public static final String X_ATLASSIAN_TOKEN
- See Also:
- Constant Field Values
-
NO_CHECK_HEADER_VALUE
public static final String NO_CHECK_HEADER_VALUE
- See Also:
- Constant Field Values
-
REQUIRE_SECURITY_TOKEN
public static final String REQUIRE_SECURITY_TOKEN
- See Also:
- Constant Field Values
-
ATL_TOKEN
public static final String ATL_TOKEN
- See Also:
- Constant Field Values
-
-
Method Detail
-
isRequestExempt
public boolean isRequestExempt(String actionName, javax.servlet.http.HttpServletRequest request)
Description copied from interface:XsrfTokenValidationManagerCheck if XSRF token protection checks should be exempt for the given action and request.- Specified by:
isRequestExemptin interfaceXsrfTokenValidationManager- Parameters:
actionName- - the action namerequest- - the currentHttpServletRequest- Returns:
- true if the request should be exempt from xsrf check, false otherwise.
-
isRequestValid
public boolean isRequestValid(Class<?> actionClass, Method actionMethod, Map<String,String> actionParams, javax.servlet.http.HttpServletRequest request)
Description copied from interface:XsrfTokenValidationManagerCheck if this request passes XSRF token checks.- Specified by:
isRequestValidin interfaceXsrfTokenValidationManager- Parameters:
actionClass- - the current action classactionMethod- - the action method that is executedactionParams- - the action parametersrequest- - the currentHttpServletRequest- Returns:
- true if the request passes XSRF token validations, false otherwise.
-
-