xsrf token specific user

Andrei Pastushenko March 25, 2022

Good day Community!
How are you, health?
I am contacting you because of the problem of obtaining the xsrf token of a specific user. The Jira API has the ability to get an xsrf token for the current logged in user who calls a post function when making a transition.

String token = new JiraWebActionSupport().getXsrfToken();

 In this way, you can get a token and, for example, form a link to the transition, like this:


If the link is formatted as a button and sent through the post-function as a letter in Outlook, then you can organize a good useful workflow functionality. 

My problem is that if I form a button/link and send it to myself in Outlook, then everything works as expected, but if we send a similar letter to a specific user, for example, we get it from a user-picker type field and get his email through a method call getEmailAddress(), with the same button/link and containing the token of the user who sent the email, the other user will receive an "XSRF Security Token Missing" error box. This is because the atl_token in the link is personal. It is taken from the request of the user calling the post function.

How can I get the xsrf token of the user to whom the transition link will be generated and sent? Goal: Generate a valid transition link with the atl_token parameter that will work correctly for a specific user.
I would be grateful for any help in solving this problem.


1 answer

1 accepted

1 vote
Answer accepted
Andrei Pastushenko April 7, 2022

Solution found:
The button that is generated in the email contains the following link, in an understandable format

<a href=\"" + baseUrl + "/plugins/servlet/new_transition_servlet?issueId=" + issueId + "&actionId=" + actionId + "\">"

In the servlet itself, we already receive the passed parameters, get a valid current xsrf token of the user who makes the transition from email, form a valid link to the transition itself and call the redirect

public class NewTransitionServlet extends HttpServlet {
// other code

protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String issueId = request.getParameter("issueId");
String actionId = request.getParameter("actionId");
String token = new JiraWebActionSupport().getXsrfToken();
String redirectUrl = String.format(
baseUrl, issueId, actionId, token
try {
} catch (IOException e) {
// Exception Handling

 We get the baseUrl parameter like this

String baseUrl = ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL)

Suggest an answer

Log in or Sign up to answer