Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-19312

Authentication Requirement when Running application/json Headers Against Confluence

XMLWordPrintable

      Summary

      Running a request against Confluence with Accept header that contains "application/json" returns an authentication error.

      Environment

      • Confluence running over SSL

      Steps to Reproduce

      1. Set up Confluence to run over SSL
      2. Run a curl command with application/json header

      Expected Results

      The application returns the expected JSON.

      Actual Results

      401 error is returned with an authentication requirement:

      $ curl -v -k --insecure  https://localhost:8443 --header "Accept: text/html,application/xhtml+xml,application/json;q=0.9"
* Rebuilt URL to: https://localhost:8443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: bandreeti
> GET / HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.43.0
> Accept: text/html,application/xhtml+xml,application/json;q=0.9
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< X-Confluence-Request-Time: 1489679589469
< Set-Cookie: JSESSIONID=7C92CB07865D341DA3DD8E29B9A8E987; Path=/; Secure; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< WWW-Authenticate: OAuth realm="https%3A%2F%2Flocalhost%3A8443"
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 16 Mar 2017 15:53:09 GMT
<
* Connection #0 to host localhost left intact
{"errorMessage":"You are not logged in. <a href=\"/login.action\">Log in<\/a> here and try again."}

      Notes

      This is a problem for web developers, who may have plugins installed which modify the browser accept header to accept JSON for various reasons. For now, they have to disable such plugins manually in order to use Confluence effectively.

      Workaround

      If you pass the -u parameter with an username and password, the request is accepted:

      $ curl -v -k --insecure -u <username>:<password>  https://localhost:8443 --header "Accept: text/html,application/xhtml+xml,application/json;q=0.9"
* Rebuilt URL to: https://localhost:8443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: bandreeti
* Server auth using Basic with user '<username>'
> GET / HTTP/1.1
> Host: localhost:8443
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.43.0
> Accept: text/html,application/xhtml+xml,application/json;q=0.9
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Confluence-Request-Time: 1489677615306
< Set-Cookie: JSESSIONID=4CF30D4D1E4F5B335F1D0FE3AE939662; Path=/; Secure; HttpOnly
< X-Seraph-LoginReason: OK
< X-AUSERNAME: <username>
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< X-Accel-Buffering: no
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 16 Mar 2017 15:20:15 GMT
<

<!DOCTYPE html>
<html>
<head>
                            <title>Dashboard - Confluence</title>
...

      This user credentials are not required in JIRA.

      The -k --insecure parameters are just to workaround the self-signed certificate.

              Unassigned Unassigned
              4cee70d9ce2f james Smith
              Votes:
              5 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: