Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

RequireSecurityToken is not working

Lionel Hutz
Lionel Hutz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2011

I have an action in a plugin that saves some plugin configuration in bandana. The backing class has another method which corrosponds to a action to view the current configuration. For some reason I can't seem to get requiring the xsrf token to work for my "save" action.

I have tried adding "@ RequireSecurityToken(true)" to the save method and also "<param name="RequireSecurityToken">true</param>" to the action definition in atlassian-plugin.xml but each time I can still save changes without adding "<tt>#form_xsrfToken()" </tt>to the form which calls the save action. I can also simply add a param to the url and the save action is also called, ex:

/plugins/namespace/save.action?param1=parameter executes successfully even though it clearly doesn't have the token present.

Is there some global confluence option that I may have set which is ignoring xsrf token requirements? I am using Confluence 3.5.x.

Watch
Like Remo Siegwart likes this
778 views

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Answer accepted
Remo Siegwart
Remo Siegwart
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2011

How does your action definition look like? Does your action use the <interceptor-ref name="validatingStack"/> in its <package> or <action> definition? The following structure should work:

&lt;atlassian-plugin name='List Search Macros' key='confluence.extra.livesearch'&gt;
    ...
 
    &lt;xwork name="livesearchaction" key="livesearchaction"&gt;
        &lt;package name="livesearch" extends="default" namespace="/plugins/livesearch"&gt;
            &lt;default-interceptor-ref name="defaultStack" /&gt;
 
            &lt;action name="livesearch" class="com.atlassian.confluence.extra.livesearch.LiveSearchAction"&gt;
            	&lt;interceptor-ref name="validatingStack"/&gt;
				&lt;param name="RequireSecurityToken"&gt;true&lt;/param&gt;
                &lt;result name="input" type="velocity"&gt;/templates/extra/livesearch/livesearchaction.vm&lt;/result&gt;
                &lt;result name="success" type="velocity"&gt;/templates/extra/livesearch/livesearchaction.vm&lt;/result&gt;
            &lt;/action&gt;
        &lt;/package&gt;
    &lt;/xwork&gt;
&lt;/atlassian-plugin&gt;

Hope this helps

View More Comments
Lionel Hutz
Lionel Hutz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2011

Yes this was the issue. Thanks!

From the documentation (https://developer.atlassian.com/display/CONFDEV/Form+Token+Handling) it looks like "validatingStack" would not be needed if using annotations. Is this correct? If so, does the "RequireSecurityToken" annotation just not work for 3.5?

Also is there a more graceful way to fail if the token isn't present (like sending the user to my error vm)?

Like
Remo Siegwart
Remo Siegwart
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2011

I think the validatingStack is always needed because it combines multiple interceptors like captcha, validator and xsrfToken. It is defined in the file xwork.xml of your Confluence:

&lt;interceptor-stack name="validatingStack"&gt;
    &lt;interceptor-ref name="defaultStack"/&gt;
	&lt;interceptor-ref name="captcha"/&gt;
    &lt;interceptor-ref name="xsrfToken"/&gt;
	&lt;interceptor-ref name="validator"/&gt;
    &lt;interceptor-ref name="workflow"/&gt;
    &lt;interceptor-ref name="profiling"&gt;
        &lt;param name="location"&gt;After validatingStack&lt;/param&gt;
    &lt;/interceptor-ref&gt;
&lt;/interceptor-stack&gt;

You should be able to send the user to your own error template on token failure by defining an input result in your action:

&lt;result name="input" type="velocity"&gt;/your/error.vm&lt;/result&gt;

Hope this helps

Like
Lionel Hutz
Lionel Hutz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2011

Yes that also worked. Thanks again for all the help!

How did you figure out the "input" result trick? Just looking at the code?

Like
Remo Siegwart
Remo Siegwart
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2011

I'm glad that it worked!

Don't remember actually, but it's also described in the documentation:

3. ensure that your action uses <interceptor-ref name="validatingStack"/> in its <package> definition and has an "input" result - which will be used on token failure.

Like
Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events