Support web sudo and other password confirmation features with custom authenticators

Type atlassian
Reporter bmallow
Modified 2017-02-17T05:22:57


By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again.

If it is turned on manually, in most cases it won't work properly. When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

Technical notes

The reason behind this is that there is no public {{authenticate(String username, String password)}} method in [Seraph's Authenticator interface|] that can be used to determine whether a user's password is valid, so Confluence just looks at its internal user management system.

We could potentially use [Authenticator.login()|,%20javax.servlet.http.HttpServletResponse,%20java.lang.String,%20java.lang.String%29], but that has a number of side-effects in the Confluence code, including logging out the user if the web sudo authentication fails. That would not be desirable.

Given the difficulty of changing Seraph's primary interface and updating all the implementations, this is unlikely to be an easy issue to resolve.