Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-20958

Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication


      When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.


      This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

      • web sudo
      • captcha
      • password confirmation on email change

      To overwrite this behavior use password.confirmation.disabled flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

      Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.

            Unassigned Unassigned
            akazatchkov Anatoli
            3 Vote for this issue
            8 Start watching this issue