Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-22875

Support web sudo and other password confirmation features with custom authenticators



    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.


      NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.

      By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again.

      If it is turned on manually, in most cases it won't work properly. When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

      Technical notes

      The reason behind this is that there is no public authenticate(String username, String password) method in Seraph's Authenticator interface that can be used to determine whether a user's password is valid, so Confluence just looks at its internal user management system.

      We could potentially use Authenticator.login(), but that has a number of side-effects in the Confluence code, including logging out the user if the web sudo authentication fails. That would not be desirable.

      Given the difficulty of changing Seraph's primary interface and updating all the implementations, this is unlikely to be an easy issue to resolve.


        Issue Links



              Unassigned Unassigned
              bmallow Brad Mallow [Atlassian]
              1 Vote for this issue
              4 Start watching this issue