Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-22875

Support web sudo and other password confirmation features with custom authenticators



    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again.

      If it is turned on manually, in most cases it won't work properly. When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

      Technical notes

      The reason behind this is that there is no public authenticate(String username, String password) method in Seraph's Authenticator interface that can be used to determine whether a user's password is valid, so Confluence just looks at its internal user management system.

      We could potentially use Authenticator.login(), but that has a number of side-effects in the Confluence code, including logging out the user if the web sudo authentication fails. That would not be desirable.

      Given the difficulty of changing Seraph's primary interface and updating all the implementations, this is unlikely to be an easy issue to resolve.


        Issue Links



              Unassigned Unassigned
              bmallow Brad Mallow [Atlassian]
              1 Vote for this issue
              4 Start watching this issue