Availability | Confluence 7.2 or later |
This page covers JWT (JSON Web Token) authentication in Confluence Data Center. To learn more about JWT token authentication in Atlassian Cloud, see Understanding JWT for Connect apps.
Confluence exposes REST resources with the /rest/api/
prefix. Some REST resources are consumed using token authentication, mainly JWT (JSON Web Token).
JWT authentication can be problematic for customers who use a reverse proxy to redirect requests to an authentication server (for example a single sign-on gateway), as requests with tokens (as a header or part of query parameters) get rejected at the proxy and don't make it to Confluence Data Center for authentication.
For this reason, from Confluence 7.2, we expose REST resources with both of these prefixes:
/rest/token-auth/api/
/rest/api/
and ask customers to allow requests with the /rest/token-auth/api/
prefix to pass through their proxy and allow Confluence to perform the security checks.
Because we don't want to make all resources with the /rest/api/
prefix available without authentication we block all these resources from being available by default and allow plugins to cherry pick the resources they need to be available.
/rest/token-auth/api/
resource availableTo make a resource available you will need to write a new filter that sets the TokenAuthWhitelistOK
attribute to true. Here's an example:
1 2public class TokenAuthWhitelistFilter extends AbstractHttpFilter { @Override public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { request.setAttribute("TokenAuthWhitelistOK", Boolean.TRUE); filterChain.doFilter(request, response); } }
You then need to configure it on the path you would like to expose with location="after-encoding"
and weight="99"
. This is because it needs to run before any other filter that will reject all requests with the /rest/token-auth/api/
prefix.
Here's an example that allows two resources:
1 2<servlet-filter key="TokenAuthWhitelistFilter" class="com.atlassian.confluence.plugins.previews.jwt.TokenAuthWhitelistFilter" location="after-encoding" weight="99" > <url-pattern>/rest/token-auth/api/content/*/child/attachment</url-pattern> <url-pattern>/rest/token-auth/api/content/*/history</url-pattern> <dispatcher>REQUEST</dispatcher> </servlet-filter>
JwtAuthFilter
filter later. If the request has a JWT token but it's invalid, it will be rejected by JwtAuthFilter
.Here's an example showing how to extract the JWT subject without validating the token.
1 2private Optional<String> getJWTSubject(final HttpServletRequest request) { try { // do the work and extract the subject, // the JWT filter will handle verification later String jwtString = JwtUtil.extractJwt(request); if (jwtString == null) { return Optional.empty(); } return Optional.of(jwtReaderFactory .getReader(jwtString) .readUnverified(jwtString) .getSubject()); } catch (Exception e) { log.error( "JwtTokenService.getJWTSubject: error extracting jwt from request. {}", e); return Optional.empty(); } }
Rate this page: