@PublicApi public interface

XsrfInvocationChecker

com.atlassian.jira.security.xsrf.XsrfInvocationChecker
Known Indirect Subclasses

@PublicApi

This interface is designed for plugins to consume (call its methods).

Clients of @PublicApi can expect that programs compiled against a given version will remain binary compatible with later versions of the @PublicApi as per each product's API policy as long as the client does not implement/extend @PublicApi interfaces or classes (refer to each product's API policy for the exact guarantee---usually binary compatibility is guaranteed at least across minor versions).

Note: since @PublicApi interfaces and classes are not designed to be implemented or extended by clients, we may perform certain types of binary-incompatible changes to these classes and interfaces, but these will not affect well-behaved clients that do not extend/implement these types (in general, only classes and interfaces annotated with @PublicSpi are safe to extend/implement).

Class Overview

Checks that a web-request (either WebWork action or HttpServlet) has been invoked with the correct XSRF token.

Summary

Constants
String REQUIRE_SECURITY_TOKEN This is the same name that Confluences uses in their webwork2 world so we are using the same name for synergy reasons
String X_ATLASSIAN_TOKEN
Public Methods
XsrfCheckResult checkActionInvocation(Action action, Map<String, ?> parameters)
Checks that the action about to be executed has been invoked within the correct XSRF parameters.
XsrfCheckResult checkWebRequestInvocation(HttpServletRequest httpServletRequest)
Checks that the web request contains the correct XSRF parameters.

Constants

public static final String REQUIRE_SECURITY_TOKEN

This is the same name that Confluences uses in their webwork2 world so we are using the same name for synergy reasons

Constant Value: "RequireSecurityToken"

public static final String X_ATLASSIAN_TOKEN

Constant Value: "X-Atlassian-Token"

Public Methods

public XsrfCheckResult checkActionInvocation (Action action, Map<String, ?> parameters)

Checks that the action about to be executed has been invoked within the correct XSRF parameters. This method will only perform the check if the current "command" is annotated with RequiresXsrfCheck.

Parameters
action the webwork.action.ActionSupport in play. Cannot be null.
parameters the parameters this has been called with. Cannot be null.
Returns
  • false if the action failed the XSRF check.

public XsrfCheckResult checkWebRequestInvocation (HttpServletRequest httpServletRequest)

Checks that the web request contains the correct XSRF parameters.

Parameters
httpServletRequest the javax.servlet.http.HttpServletRequest in play. Can't be null.
Returns
  • false if the request failed the XSRF check.