Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

Type atlassian
Reporter akazatchkov
Modified 2016-09-30T00:17:53


When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

h3. Resolution

This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

  • web sudo
  • captcha
  • password confirmation on email change

To overwrite this behavior use {{password.confirmation.disabled}} flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.