By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again.

If it is turned on manually, in most cases it won't work properly. When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

Technical notes

The reason behind this is that there is no public authenticate(String username, String password) method in Seraph's Authenticator interface that can be used to determine whether a user's password is valid, so Confluence just looks at its internal user management system.

We could potentially use Authenticator.login(), but that has a number of side-effects in the Confluence code, including logging out the user if the web sudo authentication fails. That would not be desirable.

Given the difficulty of changing Seraph's primary interface and updating all the implementations, this is unlikely to be an easy issue to resolve.