-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.9.0, 9.0.0
-
None
-
Severity 3 - Minor
-
Issue Summary
When trying to authenticate a REST API request with wrong credentials through basic authentication, Confluence properly respond with a 401 HTTP response status.
The same behavior would be expected when using personal access tokens.
If a wrong, nonexistent token is used, Confluence doesn't respond with 401 HTTP status, but passes the request as an anonymous user (if anonymous access is enabled).
Note that regular product permissions is still followed and the results will only show data that an anonymous user would have access to.
Steps to Reproduce
- Create a vanilla instance of Confluence Data Center.
- This was validated on Confluence version 9.0.
- Enable anonymous access.
- Create a sample Space with a couple of pages.
- Create a regular user with access to the sample space.
- Try accessing the following REST API using the correct credentials for the sample user.
CONFLUENCE_BASE_URL=http://127.0.0.1:8090 CONFLUENCE_USR_NAME=user001 CONFLUENCE_USR_PWD=user001 curl -v -o /dev/null \ -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \ ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
- Note authentication works as expected and the 200 HTTP response status.
- Try accessing the same REST API using the wrong credentials as below.
CONFLUENCE_BASE_URL=http://127.0.0.1:8090 CONFLUENCE_USR_NAME=user001 CONFLUENCE_USR_PWD=not_my_password curl -v -o /dev/null \ -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \ ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
- Note authentication failed and the 401 HTTP response status.
- Note authentication failed and the 401 HTTP response status.
- Create a personal access token (PAT) to the sample user.
- Try accessing the same REST API using the correct PAT.
CONFLUENCE_BASE_URL=http://127.0.0.1:8090 curl -v -o /dev/null \ -H 'Authorization: Bearer MDM4MTUwMzY5OTUwOsozS9OggiMR2teDPOUWhnZTODOf' \ ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
- Note authentication works as expected and the 200 HTTP response status.
- Try accessing the same REST API using the wrong credentials as below.
CONFLUENCE_BASE_URL=http://127.0.0.1:8090 curl -v -o /dev/null \ -H 'Authorization: Bearer not_my_token' \ ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
Expected Results
The request is not authorized as it's using a nonexistent token and Confluence responds the request with a 401 HTTP status.
Actual Results
The request is fulfilled with a 200 HTTP response status.
Since the used PAT doesn't exist, the request is made as anonymous.
Workaround
When using PAT, refer to the X-AUSERNAME response header to ensure the authentication worked with the expected user.
- split from
-
JRASERVER-78126 Using an invalid or wrong personal access token with REST API is incorrectly handled as anonymous user instead of as an unauthorized request
-
- Gathering Impact
-
- mentioned in
-
Page Failed to load
Form Name |
---|