search

chauth / confluence_http_authenticator

The new home of the Confluence HTTP Authenticator (formerly known as the Confluence Shibboleth Authenticator)
Other
65 stars 36 forks source link

How to bypass URL /download/attachments/ for Companion App in Confluence? #55

Open afernandezanusuyia opened 5 years ago

afernandezanusuyia commented 5 years ago

How do we allow this URL to bypass the enforced SSO: • /download/attachments/ as this is how the Companion App in Confluence uses a short-lived authentication session to download the attachment

marcquark commented 4 years ago

The 7.2 upgrade notes describe what you need to do

https://confluence.atlassian.com/doc/confluence-7-2-upgrade-notes-979421823.html

suedti commented 4 years ago

Had anybody success with this approach?

We tried the following config but neither companion app nor confluence mobile app are working correctly.

Any suggenstions?

THANKS

<Location /rest/prototype/1/content> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /server-status> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /s/> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /plugins> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /images> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /rest/token-auth/api/> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /download/token-auth/attachments/> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /plugins/servlet/imgFilter> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /server-info.action> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /rest/previews/templinksresource/companion/*> AuthType shibboleth ShibRequireSession Off require shibboleth <Location /rest/org.swift.confluence.cli> Allow from all Satisfy any

Rafa40 commented 4 years ago

Hi,

Is there any news about it. We allowed those urls:

/rest/token-auth/api/* /download/token-auth/attachments/* /plugins/servlet/imgFilter* /rest/analytics/1.0/publish/bulk (this is only necessary if you have opted in to data collection) but it does not work. It seems it is still blocked by /download/attachments/* Thank you
marcquark commented 4 years ago

Which webserver are you using? Could you post the relevant parts of your config?

Below works for me with Apache:

        <Location /rest/token-auth/api/>
            Require all granted
        </Location>
        <Location /download/token-auth/attachments/>
            Require all granted
        </Location>
        <Location /plugins/servlet/imgFilter*>
            Require all granted
        </Location>
        <Location /rest/analytics/1.0/publish/bulk>
            Require all granted
        </Location>
Rafa40 commented 4 years ago

Hi,

Ops! If it works for you, then, it must be something else from my servers configuration. I will investigate it deeper. Thank you for the confirmation

amknight commented 3 years ago

@Rafa40 Were you eventually able to get this to work? The problem may be related to this bug: https://jira.atlassian.com/browse/CONFSERVER-63189

Rafa40 commented 3 years ago

Hi @amknight ,

Sadly, no solution yet. To make it work, as workaround, we added a vpn rule related /download/attachments/* I will try again after upgrading Confluence to 7.13.