Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

xsrf token specific user


Good day Community!
How are you, health?
I am contacting you because of the problem of obtaining the xsrf token of a specific user. The Jira API has the ability to get an xsrf token for the current logged in user who calls a post function when making a transition.

String token = new JiraWebActionSupport().getXsrfToken();

 In this way, you can get a token and, for example, form a link to the transition, like this:

If the link is formatted as a button and sent through the post-function as a letter in Outlook, then you can organize a good useful workflow functionality. 

My problem is that if I form a button/link and send it to myself in Outlook, then everything works as expected, but if we send a similar letter to a specific user, for example, we get it from a user-picker type field and get his email through a method call getEmailAddress(), with the same button/link and containing the token of the user who sent the email, the other user will receive an "XSRF Security Token Missing" error box. This is because the atl_token in the link is personal. It is taken from the request of the user calling the post function.

How can I get the xsrf token of the user to whom the transition link will be generated and sent? Goal: Generate a valid transition link with the atl_token parameter that will work correctly for a specific user.
I would be grateful for any help in solving this problem.


1 answer

1 accepted

Solution found:
The button that is generated in the email contains the following link, in an understandable format

<a href=\"" + baseUrl + "/plugins/servlet/new_transition_servlet?issueId=" + issueId + "&actionId=" + actionId + "\">"

In the servlet itself, we already receive the passed parameters, get a valid current xsrf token of the user who makes the transition from email, form a valid link to the transition itself and call the redirect

public class NewTransitionServlet extends HttpServlet {
// other code

protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String issueId = request.getParameter("issueId");
String actionId = request.getParameter("actionId");
String token = new JiraWebActionSupport().getXsrfToken();
String redirectUrl = String.format(
baseUrl, issueId, actionId, token
try {
} catch (IOException e) {
// Exception Handling

 We get the baseUrl parameter like this

String baseUrl = ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL)

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events