Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.xwork.interceptors
Class XsrfTokenInterceptor

java.lang.Object
  extended by com.atlassian.xwork.interceptors.XsrfTokenInterceptor
All Implemented Interfaces:
com.opensymphony.xwork.interceptor.Interceptor
public class XsrfTokenInterceptor
extends java.lang.Object
implements com.opensymphony.xwork.interceptor.Interceptor

Interceptor to add XSRF token protection to XWork actions. Configuring XSRF protection happens at the method level, and can be done either by adding a @RequireSecurityToken annotation to the method, or by adding a <param name="RequireSecurityToken">[true|false]</param> parameter to the action configuration in xwork.xml.

Configuration in xwork.xml will override any annotation-based configuration. Behaviour when a method is not configured at all depends on the SecurityLevel seeting

Requests containing the HTTP header X-Atlassian-Token: no-check will bypass the check and always succeed.

See Also:
XsrfTokenInterceptor.SecurityLevel, TODO: Make this work with the RestrictHttpMethodInterceptor so get-only methods are not protected?

Nested Class Summary
static class XsrfTokenInterceptor.SecurityLevel
           
 
Field Summary
static java.lang.String CONFIG_PARAM_NAME
           
static java.lang.String OVERRIDE_HEADER_NAME
           
static java.lang.String OVERRIDE_HEADER_VALUE
           
static java.lang.String REQUEST_PARAM_NAME
           
static java.lang.String SECURITY_TOKEN_REQUIRED_ERROR_KEY
           
static java.lang.String VALIDATION_FAILED_ERROR_KEY
           
 
Constructor Summary
XsrfTokenInterceptor(XsrfTokenGenerator tokenGenerator, XWorkVersionSupport versionSupport)
           
XsrfTokenInterceptor(XWorkVersionSupport versionSupport)
           
 
Method Summary
protected  void addInvalidTokenError(com.opensymphony.xwork.Action action, java.lang.String errorMessageKey)
          Add error to action in cases where token is required, but is missing or invalid.
 void destroy()
           
protected  XsrfTokenInterceptor.SecurityLevel getSecurityLevel()
          Gets the current security level.
 void init()
           
 java.lang.String intercept(com.opensymphony.xwork.ActionInvocation invocation)
           
protected  java.lang.String internationaliseErrorMessage(com.opensymphony.xwork.Action action, java.lang.String messageKey)
          Convert an error message key into the correct message for the current user's locale.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

REQUEST_PARAM_NAME

public static final java.lang.String REQUEST_PARAM_NAME
See Also:
Constant Field Values

CONFIG_PARAM_NAME

public static final java.lang.String CONFIG_PARAM_NAME
See Also:
Constant Field Values

VALIDATION_FAILED_ERROR_KEY

public static final java.lang.String VALIDATION_FAILED_ERROR_KEY
See Also:
Constant Field Values

SECURITY_TOKEN_REQUIRED_ERROR_KEY

public static final java.lang.String SECURITY_TOKEN_REQUIRED_ERROR_KEY
See Also:
Constant Field Values

OVERRIDE_HEADER_NAME

public static final java.lang.String OVERRIDE_HEADER_NAME
See Also:
Constant Field Values

OVERRIDE_HEADER_VALUE

public static final java.lang.String OVERRIDE_HEADER_VALUE
See Also:
Constant Field Values
Constructor Detail

XsrfTokenInterceptor

public XsrfTokenInterceptor(XWorkVersionSupport versionSupport)

XsrfTokenInterceptor

public XsrfTokenInterceptor(XsrfTokenGenerator tokenGenerator,
                            XWorkVersionSupport versionSupport)
Method Detail

intercept

public java.lang.String intercept(com.opensymphony.xwork.ActionInvocation invocation)
                           throws java.lang.Exception
Specified by:
intercept in interface com.opensymphony.xwork.interceptor.Interceptor
Throws:
java.lang.Exception

addInvalidTokenError

protected void addInvalidTokenError(com.opensymphony.xwork.Action action,
                                    java.lang.String errorMessageKey)
Add error to action in cases where token is required, but is missing or invalid. Implementations may wish to override this method, but most should be able to get away with just overriding internationaliseErrorMessage(com.opensymphony.xwork.Action, java.lang.String)

Parameters:
action - the action to add the error message to
errorMessageKey - the error message key that will be used to internationalise the message

internationaliseErrorMessage

protected java.lang.String internationaliseErrorMessage(com.opensymphony.xwork.Action action,
                                                        java.lang.String messageKey)
Convert an error message key into the correct message for the current user's locale. The default implementation is only useful for testing. Implementations should override this method to provide the appropriate internationalised implementation.

Parameters:
action - the current action being executed
messageKey - the message key that needs internationalising
Returns:
the appropriate internationalised message for the current user

destroy

public void destroy()
Specified by:
destroy in interface com.opensymphony.xwork.interceptor.Interceptor

init

public void init()
Specified by:
init in interface com.opensymphony.xwork.interceptor.Interceptor

getSecurityLevel

protected XsrfTokenInterceptor.SecurityLevel getSecurityLevel()
Gets the current security level. See XsrfTokenInterceptor.SecurityLevel for more information on the meanings of the different level. Default implementation returns OPT_IN. Implementations should override this method if they want more control over the security level setting.

Returns:
the security level to apply to this interceptor.
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2009 Atlassian Pty Ltd. All Rights Reserved.