Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

Resolution

This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

• web sudo
• captcha
• password confirmation on email change

To overwrite this behavior use password.confirmation.disabled flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.