Package com.atlassian.confluence.impl.xsrf

Class DefaultXsrfTokenValidationManager

java.lang.Object

com.atlassian.confluence.impl.xsrf.DefaultXsrfTokenValidationManager

All Implemented Interfaces:

XsrfTokenValidationManager

public class DefaultXsrfTokenValidationManager
extends Object
implements XsrfTokenValidationManager

Defines global XSRF token validation rules. Currently only applies to Struts Actions but should be unified with other XSRF validation logic and extended to support all requests.

Struts Actions can be configured for XSRF protection as following (in order of precedence):

• Annotating the Action method with XsrfProtectionRequired
• Annotating the Action method with XsrfProtectionExcluded
• Configuring the Action param RequireSecurityToken in struts.xml or atlassian-plugin.xml
• Annotating the Action method with RequireSecurityToken

Behaviour when an Action is not explicitly configured is defined by the StrutsXSRFConfig.

See Also:

• ServletModuleContainerServlet.requestRequiresProtection(HttpServletRequest)

Field Summary

Fields

Modifier and Type	Field	Description
static final String	REQUIRE_TOKEN_PARAM_NAME
static final String	SRC_MAIL_RECIPIENT

Constructor Summary

Constructors

Constructor	Description
DefaultXsrfTokenValidationManager(XsrfTokenService tokenService)

Method Summary

Modifier and Type	Method	Description
boolean	isRequestExempt(MappedAction mappedAction, javax.servlet.http.HttpServletRequest request)	Check if XSRF token protection checks should be exempt for the given action and request.
boolean	isRequestValid(MappedAction mappedAction, javax.servlet.http.HttpServletRequest request)	Check if this request passes XSRF token checks.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

SRC_MAIL_RECIPIENT

public static final String SRC_MAIL_RECIPIENT

See Also:

• Constant Field Values

REQUIRE_TOKEN_PARAM_NAME

public static final String REQUIRE_TOKEN_PARAM_NAME

See Also:

• Constant Field Values

Constructor Details

DefaultXsrfTokenValidationManager

public DefaultXsrfTokenValidationManager(XsrfTokenService tokenService)

Method Details

isRequestExempt

public boolean isRequestExempt(MappedAction mappedAction,
 javax.servlet.http.HttpServletRequest request)

Description copied from interface: XsrfTokenValidationManager

Check if XSRF token protection checks should be exempt for the given action and request.

Specified by:

isRequestExempt in interface XsrfTokenValidationManager

Parameters:

mappedAction - the mapped Struts action if one exists, else null

request - the current HttpServletRequest

Returns:

true if the request should be exempt from xsrf check, false otherwise.

isRequestValid

public boolean isRequestValid(MappedAction mappedAction,
 javax.servlet.http.HttpServletRequest request)

Description copied from interface: XsrfTokenValidationManager

Check if this request passes XSRF token checks.

Specified by:

isRequestValid in interface XsrfTokenValidationManager

Parameters:

mappedAction - the mapped Struts action if one exists, else null

request - the current HttpServletRequest

Returns:

true if the request passes XSRF token validations, false otherwise.