Authenticating a Confluence User within a servlet filter module?

D. Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 14, 2015

Hi,

I currently wrote a Servlet Filter to provide SPNEGO Kerberos SSO Authentication with Confluence. I know, it is suggested to implement a Authenticator instead, but I would try whether it would also possible using e Filter, because this would reduce the amount of administrative work to install the function (no modification to seraph config e.t.c.).

Ok, I wrote the Filter and all works great if I do not look in the log wink Remaining problem is, that I always get one "IllegalStateException: Cannot call sendError() after the response has been committed" when a user is successfully logged in. The problem seems to be the position within the filter chain, I tried a lot of positions but I couldn't get it work without the Excepption logged every time a user is logged in (to log in a user I do the same as done in DefaultAuthenticator.putPrincipalInSessionContext).

Question: Is it really impossible to implement a clean authentication using a filter?

5 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
D. Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 1, 2015

I think I got it (the initially described LoginFilter), the IllegalStateException seems to be caused by a filterChain.doFilter in special situation where I need to leave the chain by simply doing a return.

0 votes
D. Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 17, 2015

Strange, as a test I implemented a "real" Authenticator based on the information available at Atlassian and with this example implementation: ExampleSSOAuthenticator.java, but also with this method I get a...

2015-06-17 11:41:04,426 ERROR [http-nio-8443-exec-6] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action

 -- url: /dashboard.action | userName: anonymous

java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed

...this is new, I've already written an Authenticator used in an old 3.4.8 instance of Confluence where I never had problems like this, but with the current 5.8.2, hmm...

Ok, the exception doesn't have a negative influence, the Authenticator logs in the user without any problem, but some "small thing isn't right yet"...

0 votes
D. Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 15, 2015

Implementation as a filter was an experiment. I currently do not need to change the web.xml because it is implemented as a plugin servlet-filter, which can be installed. Within the filter I simulate the login which is done by the default authenticator (put the principal in the session context and raise a loginevent). All is hidden from the default login system, which remains untouched and acts like a fallback if my filter can't login the user, the default system takes place.

0 votes
childnode June 15, 2015

I assume that this might be possible, perhaps you might check https://tomcat.apache.org/tomcat-7.0-doc/config/http.html for configurations like maxHeaderCount which is known as a troublemaker.

Other problems for this message are mostly accidently print() or redirects at the wrong time
perhaps this might help: redirect issues in KB =>  https://confluence.atlassian.com/x/iIP6D

 

BUT

last but not least: I bet you read the documentation in https://confluence.atlassian.com/x/ZokC and docs.atlassian.com/atlassian-seraph/latest/sso.html carefully wink

i.e. you know how seraph filter are working?

So perhaps you might implement an Authenticator not a new filter? https://docs.atlassian.com/atlassian-seraph/latest/concepts.html => https://docs.atlassian.com/atlassian-seraph/latest/apidocs/com/atlassian/seraph/auth/Authenticator.html

question What are you doing in your filter to let seraph work as a second auth stack accepting your principles?

 

Nevertheless: You need to change the web.xml instead of the seraph-config.xml so I don't see a plus for most usecases?!

 


 

Just for the record: your Kerberos Auth should be possible with filter only while other authentication modes like OAuth will not as they will need login redirects
=> problem with seraph up to 5.8.1
https://jira.atlassian.com/browse/CONF-35884

0 votes
Alexej Geldt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 15, 2015

interesting approach. +1

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

TAGS
AUG Leaders

Atlassian Community Events