Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-94775

Login form doesn't get disabled when option is disabled from authentication methods

      Issue Summary

      When we remove the option to authenticate with username and password from the login form we could still use basic authentication to login.

      This is reproducible on Data Center: Yes

      Steps to Reproduce

      Step-1. Remove the option to authenticate with username and password from the login form as per screenshot.

      
Step-2. Using the below command, we can still get the JSESSIONID and thus use to pull the content.

      curl -i -d 'os_username=<username>&os_password=<password>&login=Log+in&os_destination=%2F' <base-url>/dologin.action
      
      curl -b 'JSESSIONID=<JSESSIONID>' <base-url>/display/<space-key>/<page-title>
      

      Below is the sample output:

      curl -i -d 'os_username=<username>&os_password=<password>&login=Log+in&os_destination=%2F' https://linux-65091.prod.atl-cd.net/confluence/dologin.action
      HTTP/2 302 
      cache-control: no-store
      content-type: text/html;charset=UTF-8
      date: Tue, 27 Feb 2024 12:54:10 GMT
      expires: Thu, 01 Jan 1970 00:00:00 GMT
      location: /confluence/
      set-cookie: _b0691=96ba2532ab5fb23f; Path=/
      set-cookie: JSESSIONID=D01146B96319894F04C3B535FA9B8782; Path=/confluence; Secure; HttpOnly
      strict-transport-security: max-age=31536000
      x-confluence-cluster-node: da0e1b24
      x-confluence-cluster-node-name: confluence1
      x-confluence-request-time: 1709038450862
      x-seraph-loginreason: OK
      content-length: 0
      

      Expected Results

      Since above is considered a form of basic authentication, it should say.

      {"message":"Login form has been disabled on this instance."}
      

      Actual Results

      We get a login response with JSESSIONID.

      Workaround

      Updating the SSO for Atlassian Data Center plugin to v4.2.28 or later.

        1. screen2.png
          202 kB
          Shekhar Gupta

            [CONFSERVER-94775] Login form doesn't get disabled when option is disabled from authentication methods

            This is occurring on SSO on Atlassian Data Center 4.3.10 as well

             

            Mihai Schwarz added a comment - This is occurring on SSO on Atlassian Data Center 4.3.10 as well  

              855c746a106f Neha Garg
              2ff3e5e81230 Shekhar Gupta
              Affected customers:
              3 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: