Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

xsrf token specific user


Good day Community!
How are you, health?
I am contacting you because of the problem of obtaining the xsrf token of a specific user. The Jira API has the ability to get an xsrf token for the current logged in user who calls a post function when making a transition.

String token = new JiraWebActionSupport().getXsrfToken();

 In this way, you can get a token and, for example, form a link to the transition, like this:

If the link is formatted as a button and sent through the post-function as a letter in Outlook, then you can organize a good useful workflow functionality. 

My problem is that if I form a button/link and send it to myself in Outlook, then everything works as expected, but if we send a similar letter to a specific user, for example, we get it from a user-picker type field and get his email through a method call getEmailAddress(), with the same button/link and containing the token of the user who sent the email, the other user will receive an "XSRF Security Token Missing" error box. This is because the atl_token in the link is personal. It is taken from the request of the user calling the post function.

How can I get the xsrf token of the user to whom the transition link will be generated and sent? Goal: Generate a valid transition link with the atl_token parameter that will work correctly for a specific user.
I would be grateful for any help in solving this problem.


1 answer

1 accepted

Solution found:
The button that is generated in the email contains the following link, in an understandable format

<a href=\"" + baseUrl + "/plugins/servlet/new_transition_servlet?issueId=" + issueId + "&actionId=" + actionId + "\">"

In the servlet itself, we already receive the passed parameters, get a valid current xsrf token of the user who makes the transition from email, form a valid link to the transition itself and call the redirect

public class NewTransitionServlet extends HttpServlet {
// other code

protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String issueId = request.getParameter("issueId");
String actionId = request.getParameter("actionId");
String token = new JiraWebActionSupport().getXsrfToken();
String redirectUrl = String.format(
baseUrl, issueId, actionId, token
try {
} catch (IOException e) {
// Exception Handling

 We get the baseUrl parameter like this

String baseUrl = ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

104 views 0 1
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you