com.atlassian.crowd.xwork.interceptors

Class XsrfTokenInterceptor

java.lang.Object

com.atlassian.crowd.xwork.interceptors.XsrfTokenInterceptor

All Implemented Interfaces:

com.opensymphony.xwork2.interceptor.Interceptor, Serializable

Direct Known Subclasses:

CrowdXsrfTokenInterceptor

public class XsrfTokenInterceptor
extends Object
implements com.opensymphony.xwork2.interceptor.Interceptor

Interceptor to add XSRF token protection to XWork actions. Configuring XSRF protection happens at the method level, and can be done either by adding a @RequireSecurityToken annotation to the method, or by adding a <param name="RequireSecurityToken">[true|false]</param> parameter to the action configuration in xwork.xml.

Configuration in xwork.xml will override any annotation-based configuration. Behaviour when a method is not configured at all depends on the SecurityLevel seeting

Requests containing the HTTP header X-Atlassian-Token: no-check will bypass the check and always succeed.

See Also:

XsrfTokenInterceptor.SecurityLevel, TODO: Make this work with the RestrictHttpMethodInterceptor so get-only methods are not protected?, Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	XsrfTokenInterceptor.SecurityLevel

Field Summary

Fields

Modifier and Type	Field and Description
static String	CONFIG_PARAM_NAME
static String	OVERRIDE_HEADER_NAME
static String	OVERRIDE_HEADER_VALUE
static String	REQUEST_PARAM_NAME
static String	SECURITY_TOKEN_REQUIRED_ERROR_KEY
static String	VALIDATION_FAILED_ERROR_KEY

Constructor Summary

Constructors

Constructor and Description
XsrfTokenInterceptor()
XsrfTokenInterceptor(XsrfTokenGenerator tokenGenerator)

Method Summary

Modifier and Type	Method and Description
protected void	addInvalidTokenError(com.opensymphony.xwork2.Action action, String errorMessageKey) Add error to action in cases where token is required, but is missing or invalid.
void	destroy()
protected XsrfTokenInterceptor.SecurityLevel	getSecurityLevel() Gets the current security level.
void	init()
String	intercept(com.opensymphony.xwork2.ActionInvocation invocation)
protected String	internationaliseErrorMessage(com.opensymphony.xwork2.Action action, String messageKey) Convert an error message key into the correct message for the current user's locale.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REQUEST_PARAM_NAME

public static final String REQUEST_PARAM_NAME

See Also:

Constant Field Values

CONFIG_PARAM_NAME

public static final String CONFIG_PARAM_NAME

See Also:

Constant Field Values

VALIDATION_FAILED_ERROR_KEY

public static final String VALIDATION_FAILED_ERROR_KEY

See Also:

Constant Field Values

SECURITY_TOKEN_REQUIRED_ERROR_KEY

public static final String SECURITY_TOKEN_REQUIRED_ERROR_KEY

See Also:

Constant Field Values

OVERRIDE_HEADER_NAME

public static final String OVERRIDE_HEADER_NAME

See Also:

Constant Field Values

OVERRIDE_HEADER_VALUE

public static final String OVERRIDE_HEADER_VALUE

See Also:

Constant Field Values

Constructor Detail

XsrfTokenInterceptor

public XsrfTokenInterceptor()

XsrfTokenInterceptor

public XsrfTokenInterceptor(XsrfTokenGenerator tokenGenerator)

Method Detail

intercept

public String intercept(com.opensymphony.xwork2.ActionInvocation invocation)
                 throws Exception

Specified by:

intercept in interface com.opensymphony.xwork2.interceptor.Interceptor

Throws:

Exception

addInvalidTokenError

protected void addInvalidTokenError(com.opensymphony.xwork2.Action action,
                                    String errorMessageKey)

Add error to action in cases where token is required, but is missing or invalid. Implementations may wish to override this method, but most should be able to get away with just overriding internationaliseErrorMessage(com.opensymphony.xwork2.Action, java.lang.String)

Parameters:

action - the action to add the error message to

errorMessageKey - the error message key that will be used to internationalise the message

internationaliseErrorMessage

protected String internationaliseErrorMessage(com.opensymphony.xwork2.Action action,
                                              String messageKey)

Convert an error message key into the correct message for the current user's locale. The default implementation is only useful for testing. Implementations should override this method to provide the appropriate internationalised implementation.

Parameters:

action - the current action being executed

messageKey - the message key that needs internationalising

Returns:

the appropriate internationalised message for the current user

destroy

public void destroy()

Specified by:

destroy in interface com.opensymphony.xwork2.interceptor.Interceptor

init

public void init()

Specified by:

init in interface com.opensymphony.xwork2.interceptor.Interceptor

getSecurityLevel

protected XsrfTokenInterceptor.SecurityLevel getSecurityLevel()

Gets the current security level. See XsrfTokenInterceptor.SecurityLevel for more information on the meanings of the different level. Default implementation returns OPT_IN. Implementations should override this method if they want more control over the security level setting.

Returns:

the security level to apply to this interceptor.