Class XsrfTokenInterceptor
java.lang.Object
com.atlassian.crowd.xwork.interceptors.XsrfTokenInterceptor
- All Implemented Interfaces:
com.opensymphony.xwork2.interceptor.Interceptor
,Serializable
- Direct Known Subclasses:
CrowdXsrfTokenInterceptor
public class XsrfTokenInterceptor
extends Object
implements com.opensymphony.xwork2.interceptor.Interceptor
Interceptor to add XSRF token protection to XWork actions. Configuring XSRF protection happens at the method
level, and can be done either by adding a @RequireSecurityToken annotation to the method, or by adding a
<param name="RequireSecurityToken">[true|false]</param> parameter to the action configuration in
xwork.xml
.
Configuration in xwork.xml will override any annotation-based configuration. Behaviour when a method is not configured at all depends on the SecurityLevel seeting
Requests containing the HTTP header X-Atlassian-Token: no-check
will bypass the check and always
succeed.
-
Nested Class Summary
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
addInvalidTokenError
(com.opensymphony.xwork2.Action action, String errorMessageKey) Add error to action in cases where token is required, but is missing or invalid.void
destroy()
protected XsrfTokenInterceptor.SecurityLevel
Gets the current security level.void
init()
intercept
(com.opensymphony.xwork2.ActionInvocation invocation) protected String
internationaliseErrorMessage
(com.opensymphony.xwork2.Action action, String messageKey) Convert an error message key into the correct message for the current user's locale.
-
Field Details
-
REQUEST_PARAM_NAME
- See Also:
-
CONFIG_PARAM_NAME
- See Also:
-
VALIDATION_FAILED_ERROR_KEY
- See Also:
-
SECURITY_TOKEN_REQUIRED_ERROR_KEY
- See Also:
-
OVERRIDE_HEADER_NAME
- See Also:
-
OVERRIDE_HEADER_VALUE
- See Also:
-
-
Constructor Details
-
XsrfTokenInterceptor
public XsrfTokenInterceptor() -
XsrfTokenInterceptor
-
-
Method Details
-
intercept
- Specified by:
intercept
in interfacecom.opensymphony.xwork2.interceptor.Interceptor
- Throws:
Exception
-
addInvalidTokenError
Add error to action in cases where token is required, but is missing or invalid. Implementations may wish to override this method, but most should be able to get away with just overridinginternationaliseErrorMessage(com.opensymphony.xwork2.Action, java.lang.String)
- Parameters:
action
- the action to add the error message toerrorMessageKey
- the error message key that will be used to internationalise the message
-
internationaliseErrorMessage
protected String internationaliseErrorMessage(com.opensymphony.xwork2.Action action, String messageKey) Convert an error message key into the correct message for the current user's locale. The default implementation is only useful for testing. Implementations should override this method to provide the appropriate internationalised implementation.- Parameters:
action
- the current action being executedmessageKey
- the message key that needs internationalising- Returns:
- the appropriate internationalised message for the current user
-
destroy
public void destroy()- Specified by:
destroy
in interfacecom.opensymphony.xwork2.interceptor.Interceptor
-
init
public void init()- Specified by:
init
in interfacecom.opensymphony.xwork2.interceptor.Interceptor
-
getSecurityLevel
Gets the current security level. SeeXsrfTokenInterceptor.SecurityLevel
for more information on the meanings of the different level. Default implementation returnsOPT_IN
. Implementations should override this method if they want more control over the security level setting.- Returns:
- the security level to apply to this interceptor.
-