I have an action in a plugin that saves some plugin configuration in bandana. The backing class has another method which corrosponds to a action to view the current configuration. For some reason I can't seem to get requiring the xsrf token to work for my "save" action.
I have tried adding "@ RequireSecurityToken(true)" to the save method and also "<param name="RequireSecurityToken">true</param>" to the action definition in atlassian-plugin.xml but each time I can still save changes without adding "<tt>#form_xsrfToken()" </tt>to the form which calls the save action. I can also simply add a param to the url and the save action is also called, ex:
/plugins/namespace/save.action?param1=parameter executes successfully even though it clearly doesn't have the token present.
Is there some global confluence option that I may have set which is ignoring xsrf token requirements? I am using Confluence 3.5.x.
Community moderators have prevented the ability to post new answers.
How does your action definition look like? Does your action use the <interceptor-ref name="validatingStack"/> in its <package> or <action> definition? The following structure should work:
<atlassian-plugin name='List Search Macros' key='confluence.extra.livesearch'> ... <xwork name="livesearchaction" key="livesearchaction"> <package name="livesearch" extends="default" namespace="/plugins/livesearch"> <default-interceptor-ref name="defaultStack" /> <action name="livesearch" class="com.atlassian.confluence.extra.livesearch.LiveSearchAction"> <interceptor-ref name="validatingStack"/> <param name="RequireSecurityToken">true</param> <result name="input" type="velocity">/templates/extra/livesearch/livesearchaction.vm</result> <result name="success" type="velocity">/templates/extra/livesearch/livesearchaction.vm</result> </action> </package> </xwork> </atlassian-plugin>
Hope this helps
Yes this was the issue. Thanks!
From the documentation (https://developer.atlassian.com/display/CONFDEV/Form+Token+Handling) it looks like "validatingStack" would not be needed if using annotations. Is this correct? If so, does the "RequireSecurityToken" annotation just not work for 3.5?
Also is there a more graceful way to fail if the token isn't present (like sending the user to my error vm)?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I think the validatingStack is always needed because it combines multiple interceptors like captcha, validator and xsrfToken. It is defined in the file xwork.xml of your Confluence:
<interceptor-stack name="validatingStack"> <interceptor-ref name="defaultStack"/> <interceptor-ref name="captcha"/> <interceptor-ref name="xsrfToken"/> <interceptor-ref name="validator"/> <interceptor-ref name="workflow"/> <interceptor-ref name="profiling"> <param name="location">After validatingStack</param> </interceptor-ref> </interceptor-stack>
You should be able to send the user to your own error template on token failure by defining an input result in your action:
<result name="input" type="velocity">/your/error.vm</result>
Hope this helps
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes that also worked. Thanks again for all the help!
How did you figure out the "input" result trick? Just looking at the code?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm glad that it worked!
Don't remember actually, but it's also described in the documentation:
3. ensure that your action uses <interceptor-ref name="validatingStack"/> in its <package> definition and has an "input" result - which will be used on token failure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.