Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,560,187
Community Members
 
Community Events
185
Community Groups

xsrf token specific user

Edited
Andrei Pastushenko
Andrei Pastushenko Mar 25, 2022

Good day Community!
How are you, health?
I am contacting you because of the problem of obtaining the xsrf token of a specific user. The Jira API has the ability to get an xsrf token for the current logged in user who calls a post function when making a transition.

String token = new JiraWebActionSupport().getXsrfToken();

 In this way, you can get a token and, for example, form a link to the transition, like this:

https://myjira.com/secure/WorkflowUIDispatcher.jspa?id=1754649&action=81&atl_token=ABCD-E1FG-2HIJ-KLMN_6fa77287541d758ec0b972fc9fccdbe1e41275ed_lin

If the link is formatted as a button and sent through the post-function as a letter in Outlook, then you can organize a good useful workflow functionality. 

My problem is that if I form a button/link and send it to myself in Outlook, then everything works as expected, but if we send a similar letter to a specific user, for example, we get it from a user-picker type field and get his email through a method call getEmailAddress(), with the same button/link and containing the token of the user who sent the email, the other user will receive an "XSRF Security Token Missing" error box. This is because the atl_token in the link is personal. It is taken from the request of the user calling the post function.

How can I get the xsrf token of the user to whom the transition link will be generated and sent? Goal: Generate a valid transition link with the atl_token parameter that will work correctly for a specific user.
I would be grateful for any help in solving this problem.

Sub-request

Answer
Watch
Like Tommy Augustine likes this
654 views

1 answer

1 accepted

1 vote
Answer accepted
Andrei Pastushenko
Andrei Pastushenko Apr 07, 2022 • edited

Solution found:
The button that is generated in the email contains the following link, in an understandable format

<a href=\"" + baseUrl + "/plugins/servlet/new_transition_servlet?issueId=" + issueId + "&actionId=" + actionId + "\">"

In the servlet itself, we already receive the passed parameters, get a valid current xsrf token of the user who makes the transition from email, form a valid link to the transition itself and call the redirect

public class NewTransitionServlet extends HttpServlet {
// other code

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
 String issueId = request.getParameter("issueId");
 String actionId = request.getParameter("actionId");
 String token = new JiraWebActionSupport().getXsrfToken();
 String redirectUrl = String.format(
 "%s/secure/WorkflowUIDispatcher.jspa?id=%s&action=%s&atl_token=%s",
 baseUrl, issueId, actionId, token
);
 try {
 response.sendRedirect(redirectUrl);
 } catch (IOException e) {
 // Exception Handling
 }
}

 We get the baseUrl parameter like this

String baseUrl = ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL)
Reply

Suggest an answer

Log in or Sign up to answer
Jira Core
Jira Core Server
TAGS
AUG Leaders

Atlassian Community Events

See all events