#form_xsrfToken() doesnt get rendered


I am working on a Confluence plugin which uses a rest resource to upload a file to Confluence via a HTML Form in a vm file, which is loaded from within a servlet using TemplateRenderer.

because I am receiving “XSRF check failed” when I call my rest funtion (POST) after submitting the HTML form, I found via google that I should use #form_xsrfToken() macro within my HTML Form.

Unfortunately this doesnt get rendered, it appears in the text …

any Help with this would be greatly appreciated!

Thanx in advance,

Post code responsible for showing the form at first place along with respective part of atlassian xml.
Is that an action that extends the ConfluenceActionSupport?
If macro appears as is, it means that is unknown/null, check spelling.



<web-resource key=“scontent2-resources” name=“scontent2 Web Resources”>
<resource type=“download” name=“scontent2.css” location="/css/scontent2.css"/>
<resource type=“download” name=“scontent2.js” location="/js/scontent2.js"/>
<resource type=“download” name=“images/” location="/images"/>

<servlet name=“Config Servlet” i18n-name-key=“config-servlet.name” key=“config-servlet” class=“com.mycompany.plugins.servlet.ConfigServlet”>
<description key=“config-servlet.description”>The Config Servlet Plugin</description>


@Named (“ConfigServlet”)
public class ConfigServlet extends HttpServlet{

private static final Logger log = LoggerFactory.getLogger(ConfigServlet.class);

private final TemplateRenderer templateRenderer;

private final PageBuilderService pageBuilderService;

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException

templateRenderer.render(“templates/main.vm”, resp.getWriter());


&lt;form id="scBannerForm" method="POST" enctype="multipart/form-data" action="/confluence/rest/upload/1.0/file/banner" class="aui"&gt;


Thanx & reagrds,

I dont thinkbyou can use the form macro from servlet unless you inject the xsrftokengenerator and generate token than you the validate. Switch servlet to action and hour problem will magically dissappear


I think so too.

Thank You for Your very valid and appreciated input!


Typing from mobile is ugly. I am glad it makes sense :slight_smile:

Hi Panos!

guess what happened:

I created a XWork Action which loads the .vm which incorporates the #form_xsrfToken macro and the result is the same:

The macro now isnt showed in the text anymore, but there stil is “XSRF_CHECK failed” …

The log shows:

[common.security.jersey.XsrfResourceFilter] passesAllXsrfChecks XSRF checks failed for request: http://myurl:1990/rest/upload/1.0/file/banner , origin: null , referrer: null

any idea about that ?

Thanx & Regrads,

Please read this one https://developer.atlassian.com/confdev/confluence-plugin-guide/writing-confluence-plugins/form-token-handling


The only way I got it working was to use a custom JS Form submit function which uses ajax to do the REST call and providing the appropriate header “X-Atlassian-Token: no-check”