Package com.atlassian.jira.security.xsrf

Class DefaultXsrfInvocationChecker

java.lang.Object

com.atlassian.jira.security.ActionInvocationCheckerBase

com.atlassian.jira.security.xsrf.DefaultXsrfInvocationChecker

All Implemented Interfaces:

XsrfInvocationChecker

public class DefaultXsrfInvocationChecker
extends ActionInvocationCheckerBase
implements XsrfInvocationChecker

This class will check that a web-request (either WebWork action or HttpServlet) has been invoked with the correct XSRF token.

Since:

v4.1

Field Summary

Fields inherited from interface com.atlassian.jira.security.xsrf.XsrfInvocationChecker

REQUIRE_SECURITY_TOKEN, X_ATLASSIAN_TOKEN

Constructor Summary

Constructors

Constructor	Description
DefaultXsrfInvocationChecker(ComponentLocator componentLocator)

Method Summary

Modifier and Type	Method	Description
XsrfCheckResult	checkActionInvocation(webwork.action.Action action, Map<String,?> parameters)	Checks that the action about to be executed has been invoked with the correct XSRF parameters.
XsrfCheckResult	checkWebRequestInvocation(javax.servlet.http.HttpServletRequest httpServletRequest)	Checks that the web request contains the correct XSRF parameters.

Methods inherited from class com.atlassian.jira.security.ActionInvocationCheckerBase

getMethod, getMethodName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DefaultXsrfInvocationChecker

public DefaultXsrfInvocationChecker(ComponentLocator componentLocator)

Method Details

checkActionInvocation

@Nonnull
public XsrfCheckResult checkActionInvocation(@Nonnull
 webwork.action.Action action,
 @Nonnull
 Map<String,?> parameters)

Checks that the action about to be executed has been invoked with the correct XSRF parameters. This method will skip the check if the action class or action command's method is annotated with DoesNotRequireXsrfCheck or if the HTTP method in use is safe (aka non-mutative, i.e. GET, HEAD, OPTIONS, TRACE). It will however still perform the check if the action class or action command's method is annotated with RequiresXsrfCheck whether the HTTP method is safe or not.

Specified by:

checkActionInvocation in interface XsrfInvocationChecker

Parameters:

action - the Action in play. Cannot be null.

parameters - the parameters this has been called with. Cannot be null.

Returns:

XsrfCheckResult object. Not null.

checkWebRequestInvocation

@Nonnull
public XsrfCheckResult checkWebRequestInvocation(@Nonnull
 javax.servlet.http.HttpServletRequest httpServletRequest)

Checks that the web request contains the correct XSRF parameters.

Specified by:

checkWebRequestInvocation in interface XsrfInvocationChecker

Parameters:

httpServletRequest - the HttpServletRequest in play. Can't be null.

Returns:

XsrfCheckResult object. Not null.