Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Getting a token (Storing the token in a database table)

Andrei Pastushenko
Andrei Pastushenko March 30, 2022

Good day!
Faced with the fact that I can not find in the API a tool for obtaining the xsrf token of another user.

As you know, the transition link looks something like this:

https://myjira.com/secure/WorkflowUIDispatcher.jspa?id=1234567&action=81&atl_token=ABCD-E1FG-2HIJ-KLMN_6fa77287541d758ec0b972fc9fccdbe1e41275ed_lin

The url contains the atl_token parameter. In it we have xsrf token. Conventionally, the value of this parameter consists of three parts, separated by an underscore.

ABCD-E1FG-2HIJ-KLMN  _  6af6c93cd1fac06aad5da3b212829dd668872aa5  _  lin

The first part "ABCD-E1FG-2HIJ-KLMN" is unchanged for all users, like postfix "lin". Between them is a unique token for each user, example "6af6c93cd1fac06aad5da3b212829dd668872aa5".

If the goal is to get your own xsrf token, then just call the method:

String token = new JiraWebActionSupport().getXsrfToken();

Why might this be needed? For example, you can generate and send a URL to the transition to e-mail in order to execute it immediately from the body of the letter. Actually, I'm trying to implement a post-function with such functionality. The post function works correctly, but only if I use the above method to get a token and send an email to myself. If you send a URL designed as a button to another user, then the other user, when trying to navigate through the URL/button, receives a warning "XSRF Security Token Missing". This is due to the fact that Jira sees a completely different, alien token when requested.

An idea came up, since I have not yet found a ready-made and working tool in the API, and perhaps it doesn’t exist at all, to get a part of the token unique for each user from the database. My problem is that at the moment I don’t know in which table the actual unique token is stored, which is substituted when generating the xsrf token and the value of the atl_token parameter in the URL. The idea is that any user, having received a target personal email to his work mail, can make one of the proposed transitions from the body of the letter by clicking on the buttons / urls attached to the letter, making this transition exactly the same as if he had clicked this the jump button in Jira itself. 
This idea only works if the user who calls the post function sends an email to himself with his unique token in the "atl_token" url parameter.
How to get the necessary part of the token or the whole token of another user, or in which table is the desired value stored?
I would be grateful for any help/hint.
This question is a sub-question: 
https://community.atlassian.com/t5/Jira-Core-Server-questions/xsrf-token-specific-user/qaq-p/1983159

Answer
Watch
Like Be the first to like this
1639 views

1 answer

1 accepted

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.