Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-20958

Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

    XMLWordPrintable

    Details

      Description

      When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

      Resolution

      This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

      • web sudo
      • captcha
      • password confirmation on email change

      To overwrite this behavior use password.confirmation.disabled flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

      Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              akazatchkov Anatoli Kazatchkov
              Votes:
              3 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: