How can I validate XSRF security token in Java code using xwork or servlet?

TakashiI September 1, 2015

As I want to protect my add-on from XSRF, I read this document and implemented atl_token.
https://developer.atlassian.com/confdev/confluence-plugin-guide/writing-confluence-plugins/form-token-handling 

And in order to validate atl_token , methods @com.atlassian.xwork.RequireSecurityToken annotation and set RequireSecurityToken parameter in atlassian-plugins.xml are work well.

But... when invalid token is passed , xwork always return "input".
I want to return another result. For example, when XSRF token error occurs I want to return "xsrferror", when form input value error occurs I want to return "formerror".


So, I want to know how to validate atl_token in Java code.

1 answer

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Volodymyr Krupach
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 1, 2015

Hi Takashi,

For webwork actions just add @RequiresXsrfCheck above a method. See here for details: https://developer.atlassian.com/jiradev/jira-architecture/authentication/form-token-handling

For servlets use XsrfTokenValidator: https://docs.atlassian.com/jira/latest/com/atlassian/sal/jira/xsrf/JiraXsrfTokenValidator.html

TakashiI September 1, 2015

Thanks for your answer, I can find ConfluenceXsrfTokenValidator class and this instance is available as component. I will try it.

Volodymyr Krupach
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 1, 2015

Takashi, just inject ConfluenceXsrfTokenValidator through constructor.

TAGS
AUG Leaders

Atlassian Community Events