Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-20958

Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

XMLWordPrintable

      When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

      Resolution

      This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

      • web sudo
      • captcha
      • password confirmation on email change

      To overwrite this behavior use password.confirmation.disabled flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

      Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.

            [CONFSERVER-20958] Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

            Sam Hall added a comment - - edited

            -Dpassword.confirmation.disabled=false still works fine for the Confluence Admin functions on v5.10.4, but what about Space Admins? I seem to recall they used to get a step-up auth prompt too. Our SSO solution is optional hybrid type thingy, so either way it still works. I do like the idea of prompting people for a password before they can do anything potentially destructive such as purge trash.

            UPDATE: Never mind, I've confirmed that certain space admin functions such as purge trash to respect this setting and will prompt for auth when using custom authentication.

            Sam Hall added a comment - - edited -Dpassword.confirmation.disabled=false still works fine for the Confluence Admin functions on v5.10.4, but what about Space Admins? I seem to recall they used to get a step-up auth prompt too. Our SSO solution is optional hybrid type thingy, so either way it still works. I do like the idea of prompting people for a password before they can do anything potentially destructive such as purge trash. UPDATE: Never mind, I've confirmed that certain space admin functions such as purge trash to respect this setting and will prompt for auth when using custom authentication.

            Sergej Riewe added a comment -

            Hello,
            I try to set the password.confirmation.disabled to false because I use a custom authenticator and want the admin to go throught the confirmation dialog.
            For the Windows Service I set -Datlassian.password.confirmation.disabled=false but this does'n work. I also test -Djava and Dcatalina if i just set password.confirmation.disable=false the confluence service does't start.

            What is the right way to force the dialog? My Confluence Version is: 5.8.16

            Thanks!

            Sergej Riewe added a comment - Hello, I try to set the password.confirmation.disabled to false because I use a custom authenticator and want the admin to go throught the confirmation dialog. For the Windows Service I set -Datlassian.password.confirmation.disabled=false but this does'n work. I also test -Djava and Dcatalina if i just set password.confirmation.disable=false the confluence service does't start. What is the right way to force the dialog? My Confluence Version is: 5.8.16 Thanks!

            Tony Squier added a comment -

            This doesn't seem to work with confluence 3.5.x. It still appears that confluence will always use the internal password for custom authenticators

            Tony Squier added a comment - This doesn't seem to work with confluence 3.5.x. It still appears that confluence will always use the internal password for custom authenticators

            Stefan Saasen (Inactive) added a comment -

            This is in 3.4

            Stefan Saasen (Inactive) added a comment - This is in 3.4

            Thomas Strempel added a comment -

            Hi,
            I follow conf-20365 and it works fine!

            I have edit the setenv.sh in tomcat
            CATALINA_OPTS="-Xms1024m -Xmx2048m -XX:PermSize=64m -XX:MaxPermSize=256m -XX:+CMSClassUnloadingEnabled -Djava.awt.headless=true -Datlassian.dev.mode=true"

            Thanks and greetings by Thomas

            Thomas Strempel added a comment - Hi, I follow conf-20365 and it works fine! I have edit the setenv.sh in tomcat CATALINA_OPTS="-Xms1024m -Xmx2048m -XX:PermSize=64m -XX:MaxPermSize=256m -XX:+CMSClassUnloadingEnabled -Djava.awt.headless=true -Datlassian.dev.mode=true" Thanks and greetings by Thomas

            Anatoli added a comment -

            Hi Thomas,

            This page explains how to set system property.
            What version of confluence do you use? Keep in mind that

            In version 3.4 we have a temp workaround. We check if confluence instance is configured to use non-default seraph authenticator and automatically disable the functionality that relies on password confirmation

            So if you use a custom authenticator and confluence v 3.4 you don't need to do anything to disable password confirmation.

            If you use confluence 3.3 then the flag will not work and you will need to follow the instructions from CONF-20365.

            Anatoli.

            Anatoli added a comment - Hi Thomas, This page explains how to set system property. What version of confluence do you use? Keep in mind that In version 3.4 we have a temp workaround. We check if confluence instance is configured to use non-default seraph authenticator and automatically disable the functionality that relies on password confirmation So if you use a custom authenticator and confluence v 3.4 you don't need to do anything to disable password confirmation. If you use confluence 3.3 then the flag will not work and you will need to follow the instructions from CONF-20365 . Anatoli.

            Thomas Strempel added a comment -

            We use a Authentificator and have no solution to login to Admin page to change the security button.
            in which file i must set this value?
            "password.confirmation.disabled"
            I want do disable the Admin secure page.

            thanks

            Thomas Strempel added a comment - We use a Authentificator and have no solution to login to Admin page to change the security button. in which file i must set this value? "password.confirmation.disabled" I want do disable the Admin secure page. thanks

              Unassigned Unassigned
              akazatchkov Anatoli
              Affected customers:
              3 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: