Package com.atlassian.confluence.security.service

Interface XsrfTokenService

  • All Known Implementing Classes:
    DefaultXsrfTokenService
    public interface XsrfTokenService
    To be used in scenarios where the XsrfTokenInterceptor can not be applied.

    The above-mentioned XsrfTokenInterceptor, configured in the default stack, is the preferred method for securing XWork controllers (actions) against XSRF abuse.

    This service should be used for the following scenarios instead:

    • Servlets, as they have no notion of XWork
    • Controllers handling Content-Type: multipart/form-data, as the underlying MultiPartRequestWrapper decoding the parts may escape on construction due to e.g. exceeding the maximum file size. Since the token will be encoded in a part, the token check would fail thus hiding the root cause.
    Since:
    5.1.4

    • Method Detail

      • generate

        @Deprecated
default com.atlassian.fugue.Pair<String,​String> generate​(javax.servlet.http.HttpServletRequest request)
        Deprecated.
        since 7.0.1. Use generateToken(HttpServletRequest)
        Generate and bind a token pair to the session.
        Parameters:
        request - the request used to identify the session, will be created if none is present
        Returns:
        a token pair to be used for the modifying request, containing the parameter key in the left part and the token value in the right part

      • generateToken

        io.atlassian.fugue.Pair<String,​String> generateToken​(javax.servlet.http.HttpServletRequest request)
        Generate and bind a token pair to the session.
        Parameters:
        request - the request used to identify the session, will be created if none is present
        Returns:
        a token pair to be used for the modifying request, containing the parameter key in the left part and the token value in the right part
        Since:
        7.0.1

      • validate

        @Deprecated
default com.atlassian.fugue.Maybe<Message> validate​(javax.servlet.http.HttpServletRequest request)
        Deprecated.
        since 7.0.1. Use validateToken(HttpServletRequest)
        Validate if the given request contains the token bound to the request's session.
        Parameters:
        request - the request used to identify the session and containing the token parameter
        Returns:
        maybe error messages, thus Maybe.isEmpty() indicates a successful flow

      • validateToken

        Optional<Message> validateToken​(javax.servlet.http.HttpServletRequest request)
        Validate if the given request contains the token bound to the request's session.
        Parameters:
        request - the request used to identify the session and containing the token parameter
        Returns:
        maybe error messages, thus !Optional.isPresent() indicates a successful flow
        Since:
        7.0.1