Package com.atlassian.jira.security.xsrf
Interface XsrfInvocationChecker
- All Known Implementing Classes:
DefaultXsrfInvocationChecker
@PublicApi
public interface XsrfInvocationChecker
Checks that a web-request (either WebWork action or HttpServlet) has been invoked with the correct
XSRF token.
- Since:
- v4.1.1
-
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptioncheckActionInvocation(webwork.action.Action action, Map<String, ?> parameters) Checks that the action about to be executed has been invoked with the correct XSRF parameters.checkWebRequestInvocation(javax.servlet.http.HttpServletRequest httpServletRequest) Checks that the web request contains the correct XSRF parameters.
-
Field Details
-
REQUIRE_SECURITY_TOKEN
This is the same name that Confluences uses in their webwork2 world so we are using the same name for synergy reasons- See Also:
-
X_ATLASSIAN_TOKEN
- See Also:
-
-
Method Details
-
checkActionInvocation
@Nonnull XsrfCheckResult checkActionInvocation(@Nonnull webwork.action.Action action, @Nonnull Map<String, ?> parameters) Checks that the action about to be executed has been invoked with the correct XSRF parameters. This method will skip the check if the action class or action command's method is annotated withDoesNotRequireXsrfCheckor if the HTTP method in use is safe (aka non-mutative, i.e. GET, HEAD, OPTIONS, TRACE). It will however still perform the check if the action class or action command's method is annotated withRequiresXsrfCheckwhether the HTTP method is safe or not.- Parameters:
action- theActionin play. Cannot be null.parameters- the parameters this has been called with. Cannot be null.- Returns:
XsrfCheckResultobject. Not null.
-
checkWebRequestInvocation
@Nonnull XsrfCheckResult checkWebRequestInvocation(@Nonnull javax.servlet.http.HttpServletRequest httpServletRequest) Checks that the web request contains the correct XSRF parameters.- Parameters:
httpServletRequest- theHttpServletRequestin play. Can't be null.- Returns:
XsrfCheckResultobject. Not null.
-