JIRA 4.3 : Form Token Handling
This page last changed on Feb 15, 2011 by ggaskell.
On this page: Overview and PurposeJIRA 4.1 and later employs a token authentication mechanism which is utilised whenever JIRA actions are performed either through link request or form submission. This provides JIRA with a means to validate the origin and intent of the request, thus adding an additional level of security against cross-site request forgery. While the core JIRA product and its bundled plugins use this token handling mechanism by default, non-bundled plugins or those developed by third parties may not. This document provides instructions to JIRA plugin developers on how to incorporate this token handling mechanism into JIRA plugins. Form TokensJIRA 4.1 requires that WebWork actions possess tokens, which are then verified when the form is submitted back to the JIRA server. This is an "opt in" mechanism, whereby actions must declare that they require a token to be present in the request. Turning off Form Token CheckingForm token checking can be switched off at a system wide level by updating the jira-application.properties file with the following: jira.xsrf.enabled=false Instructions for Plugin DevelopersThe following subsections provide details on how to implement form token handling into your JIRA plugin. Please be aware that once form token handling has been implemented into a JIRA plugin:
JIRA WebWork ActionsTo enable token checking for a particular Action class
Providing the token in HTML FormsThe token is included by default when using a jiraform The token can be included into your own JSPs that don't use jiraforms, by adding the following code: <webwork:component name="'atl_token'" value="/xsrfToken" template="hidden.jsp"/> The following code can be added to Velocity Templates: <input type="hidden" name="atl_token" value="$atl_token" /> Providing the token in HTML linksYou can do the following in JSPs: MyAction.jspa?myParameter=true&atl_token=<webwork:property value="/xsrfToken"/> or Velocity Templates: MyAction.jspa?myParameter=true&atl_token=${atl_token} Accessing the token programaticallyTo get hold of the current user's token, you will need to make the following call: import com.atlassian.jira.security.xsrf.XsrfTokenGenerator; XsrfTokenGenerator xsrfTokenGenerator = ComponentManager.getComponentInstanceOfType(XsrfTokenGenerator.class); String token = xsrfTokenGenerator.generateToken(request); ScriptingScripts that access JIRA remotely may have trouble acquiring or returning a security token, or maintaining an HTTP session with the server. There is a way for scripts to opt out of token checking by providing the following HTTP header in the request: X-Atlassian-Token: no-check RELATED TOPICSFor more information, refer to the Open Web Application Security Project page. |
![]() |
Document generated by Confluence on Mar 27, 2011 18:54 |