Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

xsrf token specific user

Andrei Pastushenko
Andrei Pastushenko March 25, 2022

Good day Community!
How are you, health?
I am contacting you because of the problem of obtaining the xsrf token of a specific user. The Jira API has the ability to get an xsrf token for the current logged in user who calls a post function when making a transition.

String token = new JiraWebActionSupport().getXsrfToken();

 In this way, you can get a token and, for example, form a link to the transition, like this:

https://myjira.com/secure/WorkflowUIDispatcher.jspa?id=1754649&action=81&atl_token=ABCD-E1FG-2HIJ-KLMN_6fa77287541d758ec0b972fc9fccdbe1e41275ed_lin

If the link is formatted as a button and sent through the post-function as a letter in Outlook, then you can organize a good useful workflow functionality. 

My problem is that if I form a button/link and send it to myself in Outlook, then everything works as expected, but if we send a similar letter to a specific user, for example, we get it from a user-picker type field and get his email through a method call getEmailAddress(), with the same button/link and containing the token of the user who sent the email, the other user will receive an "XSRF Security Token Missing" error box. This is because the atl_token in the link is personal. It is taken from the request of the user calling the post function.

How can I get the xsrf token of the user to whom the transition link will be generated and sent? Goal: Generate a valid transition link with the atl_token parameter that will work correctly for a specific user.
I would be grateful for any help in solving this problem.

Sub-request

Answer
Watch
Like Tommy Augustine likes this
1087 views

1 answer

1 accepted

1 vote
Answer accepted
Andrei Pastushenko
Andrei Pastushenko April 7, 2022

Solution found:
The button that is generated in the email contains the following link, in an understandable format

<a href=\"" + baseUrl + "/plugins/servlet/new_transition_servlet?issueId=" + issueId + "&actionId=" + actionId + "\">"

In the servlet itself, we already receive the passed parameters, get a valid current xsrf token of the user who makes the transition from email, form a valid link to the transition itself and call the redirect

public class NewTransitionServlet extends HttpServlet {
// other code

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
 String issueId = request.getParameter("issueId");
 String actionId = request.getParameter("actionId");
 String token = new JiraWebActionSupport().getXsrfToken();
 String redirectUrl = String.format(
 "%s/secure/WorkflowUIDispatcher.jspa?id=%s&action=%s&atl_token=%s",
 baseUrl, issueId, actionId, token
);
 try {
 response.sendRedirect(redirectUrl);
 } catch (IOException e) {
 // Exception Handling
 }
}

 We get the baseUrl parameter like this

String baseUrl = ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL)
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events