Class XsrfTokenInterceptor

java.lang.Object
com.atlassian.crowd.xwork.interceptors.XsrfTokenInterceptor
All Implemented Interfaces:
com.opensymphony.xwork2.interceptor.Interceptor, Serializable
Direct Known Subclasses:
CrowdXsrfTokenInterceptor

public class XsrfTokenInterceptor extends Object implements com.opensymphony.xwork2.interceptor.Interceptor
Interceptor to add XSRF token protection to XWork actions. Configuring XSRF protection happens at the method level, and can be done either by adding a @RequireSecurityToken annotation to the method, or by adding a <param name="RequireSecurityToken">[true|false]</param> parameter to the action configuration in xwork.xml.

Configuration in xwork.xml will override any annotation-based configuration. Behaviour when a method is not configured at all depends on the SecurityLevel seeting

Requests containing the HTTP header X-Atlassian-Token: no-check will bypass the check and always succeed.

See Also:
  • Field Details

  • Constructor Details

    • XsrfTokenInterceptor

      public XsrfTokenInterceptor()
    • XsrfTokenInterceptor

      public XsrfTokenInterceptor(XsrfTokenGenerator tokenGenerator)
  • Method Details

    • intercept

      public String intercept(com.opensymphony.xwork2.ActionInvocation invocation) throws Exception
      Specified by:
      intercept in interface com.opensymphony.xwork2.interceptor.Interceptor
      Throws:
      Exception
    • addInvalidTokenError

      protected void addInvalidTokenError(com.opensymphony.xwork2.Action action, String errorMessageKey)
      Add error to action in cases where token is required, but is missing or invalid. Implementations may wish to override this method, but most should be able to get away with just overriding internationaliseErrorMessage(com.opensymphony.xwork2.Action, java.lang.String)
      Parameters:
      action - the action to add the error message to
      errorMessageKey - the error message key that will be used to internationalise the message
    • internationaliseErrorMessage

      protected String internationaliseErrorMessage(com.opensymphony.xwork2.Action action, String messageKey)
      Convert an error message key into the correct message for the current user's locale. The default implementation is only useful for testing. Implementations should override this method to provide the appropriate internationalised implementation.
      Parameters:
      action - the current action being executed
      messageKey - the message key that needs internationalising
      Returns:
      the appropriate internationalised message for the current user
    • destroy

      public void destroy()
      Specified by:
      destroy in interface com.opensymphony.xwork2.interceptor.Interceptor
    • init

      public void init()
      Specified by:
      init in interface com.opensymphony.xwork2.interceptor.Interceptor
    • getSecurityLevel

      protected XsrfTokenInterceptor.SecurityLevel getSecurityLevel()
      Gets the current security level. See XsrfTokenInterceptor.SecurityLevel for more information on the meanings of the different level. Default implementation returns OPT_IN. Implementations should override this method if they want more control over the security level setting.
      Returns:
      the security level to apply to this interceptor.