The ConfluenceAuthenticator implementation in 3.5 behaves very differently to every previous version of Confluence in that login() now does the authentication and authenticate() is a dummy method that just returns true or false based on the result of login().

This has broken custom authenticators that subclass ConfluenceAuthenticator. Even if they were updated to work somehow, there's no easy way to fall back to authenticating with Confluence, if the external authentication fails. Extended implementations might also neglect to fire the events that enforce a CAPTCHA after a number of failed logins.

We should restore the previous way of extending ConfluenceAuthenticator in 3.5.

Workaround

There is a patch attached to this issue to fix this issue in Confluence 3.5, 3.5.1 and 3.5.2. To install the patch:

1. Shut down Confluence.
2. Download atlassian-seraph-2.5.1.jar and put it in confluence/WEB-INF/lib/.
3. Remove the old version of this library, atlassian-seraph-2.4.0.jar, from confluence/WEB-INF/lib/.
4. Download ConfluenceAuthenticator.class and put it in confluence/WEB-INF/classes/com/atlassian/confluence/user/, creating any directories as required.
5. Put your custom authenticator in place as normal.
6. Start Confluence again.

Customers who are not comfortable patching their instance can wait until the Confluence 3.5.3 release, which is currently scheduled for Monday 2 May.