Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Protecting assets in Confluence

Matthew J. Horn
Matthew J. Horn
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 17, 2012

We have Crowd/Confluence connnector that prevents unauthorized users from accessing the Confluence-rendered pages.

However, anyone (include external remote hosts) can still access directories such as images, includes, and other files. Is there any way to prevent access to these from non-authorized users?

For example, to view content on our Confluence site, you'd need a login to view http://mysite.com. However, you could access images, for example, at http://mysite.com/images/en_GB.gif or raw decorator source files, for example, at http://mysite.com/decorators/admin.vmd.

Does anyone else see this as a security issue?

Answer
Watch
Like Be the first to like this
423 views

2 answers

2 votes
Adam Laskowski
Adam Laskowski
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 21, 2012

The images directory in your instance contains a lot of the standardized Atlassian logos and images that we use all around the site that need to be accessible to anonymous viewers. For instance, your site logo on the Confluence login page has your site logo stored in /images/logos, and without anonymous access, the user would just see a broken image link when logging in. All images uploaded to your site by users are behind the /download/attachments resource, which is login protected so long as you don't have the global and space permissions for anonymous users set.

As for the Velocity files, I'm unfortunately a little less knowledgeable about the need for anonymous access to the content. However, if you haven't made any customizations to the files themselves, they should not have any information to worry about. More importantly, the anonymous access to either of these resource locations does not inherntly put you site at risk.

Reply
1 vote
Matthew J. Horn
Matthew J. Horn
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

FWIW, I figured out a way to do this using the Seraph-based authentication that is built into Confluence. This is the same authentication that protects the "admin" panel. I'll blog about it and try to capture the steps to use it.

View More Comments
Steven F Behnke
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 12, 2015

Please do!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events