Hello,
after upgrading from Confluence DC 8.5 to 9.2, I cannot authenticate requests against my servlet app endpoint anymore using Basic Authentication, (likely) due to the recently introduced 2-step-verification.
When calling the servlet endpoint using a valid (admin) user with Basic Auth headers, I can see that the authentication gets invalidated after the first request in this log:
DEBUG [http-nio-8090-exec-5 url: /plugins/servlet/myendpoint]
[authentication.basicauth.filter.DisableBasicAuthFilter] invalidateSessionIfNativeLoginRestricted
Session for Basic Authentication will be invalidated because the 2SV-capable login mode is enabled
However, as far as I can see I do not even have 2-step-verification enabled in my instance.
After invalidation, subsequent requests are issued with the user "anonymous". This still works, but only if I put the @UnrestrictedAccess annotation onto my servlet, which obviously seems the wrong way to go.
PAT-based authentication is not affected by this and works fine. I know PAT is the recommended and preferred way to authenticate, but I would like to keep Basic Auth working if possible.
My main questions are:
- Is the observed behaviour correct, with 2SV seemingly being disabled?
- Where can I properly switch off the "2SV-capable login mode"?
- In which JAR is the DisableBasicAuthFilter code situated? I found it difficult to troubleshoot this issue in the debugger.
- With the advent of 2SV, is the usage of Basic Auth for authenticating against servlet app endpoints even still supported at all?
- Why does this not affect PAT based authentication?
Many thanks for your support!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.