Details
-
Bug
-
Resolution: Fixed
-
Highest
-
8.2.0, 8.1.1, 7.13.15, 7.13.16, 7.13.17, 7.19.7, 7.19.8, 7.19.9, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3
-
10
-
Severity 2 - Major
-
30
-
Description
Problem
When a non-default authenticator is configured in Confluence, attempting to edit an attachment stored on a Confluence page fails with "Unexpected response status code 401" in the Companion App Logs.
Environment
- Confluence v7.19.7
- A non-default authenticator is configured in <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Companion App v1.4.4
Steps to Reproduce
One example when a non-default authenticator is used is Confluence/Crowd SSO integration.
- Configure Confluence to use Crowd SSO as described in Enable SSO integration with Crowd (Optional)
- Create a Confluence page and attach a .txt document
- Preview the text document in Confluence
- Attempt to Edit the text document on the Confluence page (which would typically open the text file through the Companion App)
Expected Results
Confluence communicates to the Companion App which would open the text document with the OS associated application (e.g. Notepad or TextEdit).
Actual Results
Nothing happens - the OS associated application does not open the document
Checking the logs of the Companion app will show "Unexpected response status code 401":
info: adc:serverauth 2023-05-09T15:19:19.986Z Found trusted domain in database: www.myconfluence.com error: adc:ServerFacade 2023-05-09T15:19:20.865Z Could not get temp link information: error: adc:ServerFacade 2023-05-09T15:19:20.866Z UnexpectedStatusError: Unexpected response status code 401 from www.myconfluence.com at u.expect (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:26288) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async h (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:20817) at async t._fn (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:8:1326947) error: adc:ServerFacade 2023-05-09T15:19:20.866Z UnexpectedStatusError: Unexpected response status code 401 from www.myconfluence.com at u.expect (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:26288) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async h (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:20817) at async t._fn (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:8:1326947) info: adc:ErrorHandler - 2023-05-09T15:19:20.866Z Unable to JSON parse and extract response error responseText: undefined error: adc:ProtocolHandler 2023-05-09T15:19:20.867Z Error parsing protocol link error: adc:ProtocolHandler 2023-05-09T15:19:20.867Z UnexpectedStatusError: Unexpected response status code 401 from www.myconfluence.com at u.expect (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:26288) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async h (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:20817) at async t._fn (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:8:1326947) error: adc:ProtocolHandler 2023-05-09T15:19:20.867Z UnexpectedStatusError: Unexpected response status code 401 from www.myconfluence.com at u.expect (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:26288) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async h (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:2:20817) at async t._fn (/Applications/Atlassian Companion.app/Contents/Resources/app.asar/.webpack/main/index.js:8:1326947)
Checking the Confluence Tomcat access logs will show "HTTP/1.1 401" for the "/rest/token-auth/api/previews/templinksresource/companion/attachment" end point:
[19/May/2023:10:21:20 +1000] - http-nio-21315-exec-10 0:0:0:0:0:0:0:1 GET /rest/token-auth/api/previews/templinksresource/companion/attachment?attachmentId=983043&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1N....i8fU66SKg-d2dpycQcXY7tVlclw_rA HTTP/1.1 401 30ms 148 - Mozilla/5.0 (Macintosh; Intel Mac OS X 12_6_5) AppleWebKit/537.36 (KHTML, like Gecko) AtlassianCompanion/1.4.4 Chrome/80.0.3987.163 Electron/8.5.5 Safari/537.36
Workaround
Workaround 1 (when using Crowd SSO) - Disable Crowd SSO
- Backup <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Revert back to the default Confluence authenticator
Make sure this is enabled
<!-- Default Confluence authenticator, which uses the configured user management for authentication. --> <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
Make sure this is commented out<!-- Authenticator with support for Crowd single-sign on (SSO). --> <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->
- Revert back to the default Confluence authenticator
- Restart Confluence (on each node)
- Confluence/Crowd SSO will no longer be active but editing attachments via Companion App will work again
Workaround 2 (only when using Crowd DC) - Change to Crowd SSO 2.0
Migrate Confluence/Crowd SSO to be using Crowd SSO2 (SAML based SSO) which is not affected by this issue.
Workaround 3 (when using re:solution Deny Password Authenticator v3.2.0) - Disable Deny Password Authenticator
- Backup <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Revert back to the default Confluence authenticator
Make sure this is enabled
<!-- Default Confluence authenticator, which uses the configured user management for authentication. --> <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
Make sure this is commented out<!-- <authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator" /> -->
- Revert back to the default Confluence authenticator
- Restart Confluence (on each node)
Workaround 4 (when using MIDAN Authenticator) - Disable MIDAN Authenticator
- Backup <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml
- Revert back to the default Confluence authenticator
Make sure this is enabled
<!-- Default Confluence authenticator, which uses the configured user management for authentication. --> <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
Make sure MIDAN authenticator is commented out<!-- <authenticator class="eu.midan.MIDANAuthenticator"/> -->
Make sure Confluence Crowd SSO is commented out<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->
- Revert back to the default Confluence authenticator
- Restart Confluence (on each node)
- Confluence/Crowd SSO will no longer be active but editing attachments via Companion App will work again