Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.5
-
None
Description
The ConfluenceAuthenticator implementation in 3.5 behaves very differently to every previous version of Confluence in that login() now does the authentication and authenticate() is a dummy method that just returns true or false based on the result of login().
This has broken custom authenticators that subclass ConfluenceAuthenticator. Even if they were updated to work somehow, there's no easy way to fall back to authenticating with Confluence, if the external authentication fails. Extended implementations might also neglect to fire the events that enforce a CAPTCHA after a number of failed logins.
We should restore the previous way of extending ConfluenceAuthenticator in 3.5.
Workaround
There is a patch attached to this issue to fix this issue in Confluence 3.5, 3.5.1 and 3.5.2. To install the patch:
- Shut down Confluence.
- Download atlassian-seraph-2.5.1.jar and put it in confluence/WEB-INF/lib/.
- Remove the old version of this library, atlassian-seraph-2.4.0.jar, from confluence/WEB-INF/lib/.
- Download ConfluenceAuthenticator.class and put it in confluence/WEB-INF/classes/com/atlassian/confluence/user/, creating any directories as required.
- Put your custom authenticator in place as normal.
- Start Confluence again.
Customers who are not comfortable patching their instance can wait until the Confluence 3.5.3 release, which is currently scheduled for Monday 2 May.
Attachments
Issue Links
- is related to
-
CONFSERVER-22266 Seraph in Confluence 3.5 environment no longer able to instantiate custom authenticator
- Closed
-
CONFSERVER-22744 SiteMinder custom authenticator does not work with "Internal with LDAP authentication" directory
- Closed
-
JRASERVER-24155 JIRA connected to Crowd with a delegated authentication directory will not correctly authenticate users
- Closed
-
SER-166 Change login behaviour to authenticate without finding user first
- RESOLVED
-
CONFSERVER-24358 Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
- Gathering Interest