Child pages
  • Federating Confluence with mod_auth_mellon

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Luckily the The logout button link can be configured in Confluence, but the configuration file is located inside a JAR file (Java ARchive), so it's a little bit of work. For starters, you need the jar command, which is part of openjdk-7-jdk:

 

Code Block
 apt-get --no-install-recommends install openjdk-7-jdk

Then do:

...

You need to extract the JAR and copy/edit an XML file to WEB-INF/classes - see https://confluence.atlassian.com/confkb/how-to-edit-files-in-confluence-jar-files-103711179.html.


Then do:

  • mkdir /tmp/jar
  • jar xf unzip /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar -d /tmp/jar

Now /tmp/jar should contain the contents of the jar. Edit Copy the file xwork.xml and  to /opt/confluence/confluence/WEB-INF/classes and change this part:

 

Code Block
languagehtml/xml
        <action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
            <interceptor-ref name="defaultStack"/>
            <result name="error" type="velocity">/logout.vm</result>
            <result name="success" type="redirect">/login.action?logout=true</result>
        </action>

to this:

Code Block
languagehtml/xml
        <action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
            <interceptor-ref name="defaultStack"/>
            <result name="error" type="velocity">/logout.vm</result>
            <result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result>
        </action>

While you're at it, you can also change the Invite Users link on /admin/users/browseusers.action. This will take you a non-federated invitation page, which is not what you want. If your Confluence admins don't know how they should add people (by asking new users to simply log in), then chances are that they will use this option, ending up with a 'wrong' account.

Edit pluginsCopy plugins/user-management.xml and .xml to /opt/confluence/confluence/WEB-INF/classes/plugins/ (you have to create the plugins dir) and change this line:

Code Block
<link linkId="invite-tab-link">/admin/users/inviteuser.action</link>

so that it points to a custom page that you created with the proper instructions.

The page I'm using has a clickable mailto link so that everything is precooked.

 

Now "jar" everything up again and replace the original jar:

Code Block
languagebash
cd /tmp/jar jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar

.

Restart Confluence. You should now also be able to use federated logins on your iPad/etc.

 

jsessionid errors

If unauthenticated users try to access content that is protected, Confluence tries to set jsessionid as part of the URL. This leads to 404 errors like this:

Code Block
NOT FOUND
The requested URL /mellon/login;jsessionid=8A736F43779F96249F6C3DC41067BB98 was not found on this server.

Since the jsessionid part isn't needed, it can be removed uses a rewrite statement (see apache config above).

 

Logging

 

You might want to change the default apache log file configuration to include the federated user name. While you're at it, add milliseconds to the timestamp, and change it to something that is not a nightmare to sort later on:

 

Code Block
#LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
# Sortable log format, with proper federated username. DV 2016-04-05
LogFormat "%v:%p %{%F %T}t.%{msec_frac}t %h %{MELLON_CONF_USER}e \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

This will yield useful stuff like:

Code Block
wiki.geant.org:443 2016-04-05 14:23:10.714 2001:610:148:dead:49be:5225:a8a0:4b1f federated-user-3 "GET /rest/mywork/latest/status/notification/count HTTP/1.1" 200 944 "https://wiki.geant.org/dashboard.action" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"

 

Limit access to the unprotected TCP port

Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml:

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"