public interface XsrfTokenService
XsrfTokenInterceptor
can not be applied.
The above mentioned XsrfTokenInterceptor
, configured in the default
stack, is the preferred
method for securing XWork controllers (actions) against XSRF abuse.
This service should be used for the following scenarios instead:
Content-Type: multipart/form-data
, as the underlying
MultiPartRequestWrapper
decoding the parts may escape on construction due to e.g. exceeding the maximum file
size. Since the token will be encoded in a part, the token check would fail thus hiding the root cause.
Modifier and Type | Method and Description |
---|---|
com.atlassian.fugue.Pair<String,String> |
generate(javax.servlet.http.HttpServletRequest request)
Generate and bind a token pair to the session.
|
com.atlassian.fugue.Maybe<Message> |
validate(javax.servlet.http.HttpServletRequest request)
Validate if the given request contains the token bound to the request's session.
|
com.atlassian.fugue.Pair<String,String> generate(javax.servlet.http.HttpServletRequest request)
request
- the request used to identify the session, will be created if none is presentcom.atlassian.fugue.Maybe<Message> validate(javax.servlet.http.HttpServletRequest request)
request
- the request used to identify the session and containing the token parameterMaybe.isEmpty()
indicates a successful flowCopyright © 2003–2017 Atlassian. All rights reserved.