Confluence Rest API windows authentication.

serwan gupta December 16, 2017

Hi Team, I'm looking to authenticate confluence rest api (with windows authentication). I have already implemented basic authentication but want to switch to windows authentication for obvious reason (don't want to hard-code username /password). please suggest any resource/guide to achieve this. Tired of searching Confluence Online Help but nothing got anything specific to this.

3 answers

0 votes
Neha Sharma April 1, 2019

Hi,

I have a requirement something similar to this. I'm developing a plugin in confluence in which I have to make api calls to our internal applications from the Java code. Our internal api applications accept only NTLM authentication (Windows Authentication). Below is the code that I'm using currently, but it seems that it is not working - 

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.*;

public class NT {

    static final String kuser = "[USERNAME]"; 
    static final String kpass = "[PASSWORD]"; 

    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }
    }

    public static void main(String[] args) throws Exception {
        CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
        Authenticator.setDefault(new MyAuthenticator());
        URL url = new URL("<api-url>");
        URLConnection connection = url.openConnection();
        InputStream ins = connection.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
            System.out.println(str);
    }
}

can someone suggest a get around for this please.

Thanks,

Neha 

0 votes
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 16, 2017

Hi @serwan gupta

I work for the vendor Kantega Single Sign-on.

Kerberos for REST can be enabled inside our add-ons.

Have a look at https://marketplace.atlassian.com/search?query=kantega

 

If you need any help, just write en email to our support team sso@kantega.no

 

Cheers,

Lars

serwan gupta December 17, 2017

@Lars: I've already checked that. what I understand is it is not ATLASSIAN product and I would require to purchase it explicitly. if I already have confluence/jira licence then just for getting authentication feature i would not go for other vendor product. Moreover purchasing a plugin would require a whole new process trigger at my organisation with business justification. Also, I didn't find any code sample for (C#.NET, Angular or any other javascript library)

my question was if the basic authentication is possible without any plugin and then why not Kerberos? There should be some support from ATLASSIAN

Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 17, 2017

@serwan gupta 

Imaging authentications failing for 1 user, 10 users or perhaps all users. You are waiting for support, and meanwhile people are getting a blank screen. Perhaps it is not working through VPN. Is it network or DNS related? What if you have a large forest of AD`s and SSO does not work for multiple domains, or 3 standalone domain that all want to have SSO?

What I`m saying is that Kerberos is a quite tricky technology and my guess is that Atlassian does not have the expertise to handle all the support it would require. 

I would rather have this add-on delivered from a company that specializes in single sign-on.

Our support team will answer any questions within minutes. In most cases we are able to see the problem right away due to our many built-in test tools. If not, we help customers through remote screen sharing.

 

At least at the moment Atlassian has no way of offering Kerberos to JIRA/Confluence.

Cheers,
Lars

Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 17, 2017

Making an add-on that can log in a user is straight forward if you know what you are doing.

  • What if you also want users to be able to log in as a different users. (actually able to log out)
  • Authenticate to service desk, open confluence attachments without entering their username and password
  • Limit Kerberos to certain IP-ranges
  • Not break any monitoring software
  • Not break application links
  • Not break anonymously view-able pages like filters etc
  • Authenticate users even if the application does NOT require the user to authenticate
  • Etc

Many of our customers are coming to us because the internal development and testing is taking up too much time.

Atlassian changes their product from time to time, and this occasionally breaks the integrations. Sometimes it`s an easy fix, sometimes it`s not. This all depends on what you want to spend your time doing ;-)

 

-Lars 

0 votes
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 16, 2017

Hi @serwan gupta,

You will need a Kerberos plugin for this. You can find many of them on Atlassian Marketplace: https://marketplace.atlassian.com/search?query=kerberos

I work for the vendor of the IWAAC Kerberos SSO plugin.

You will find code examples (in Groovy, Powershell and Python) of REST clients authenticating with Kerberos on this page. Please note that these examples are not specific to our plugin and thus they should work with any other Kerberos vendor's plugin.

serwan gupta December 17, 2017

@Bruno Vincent: I've already checked that. what I understand is it is not ATLASSIAN product and I would require to purchase it explicitly. if I already have confluence/jira licence then just for getting authentication feature i would not go for other vendor product. Moreover purchasing a plugin would require a whole new process trigger at my organisation with business justification. Also, I didn't find any code sample for (C#.NET, Angular or any other javascript library)

my question was if the basic authentication is possible without any plugin and then why not Kerberos? There should be some support from ATLASSIAN

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 17, 2017

Hi @serwan gupta

As of today Atlassian does not provide that feature. So you basically have two solutions:

Again, the good news about vendors plugins is that you can find many of them on Atlassian Marketplace so you can easily test them and choose the one that you like the most and best fits your needs and requirements.

Regarding code sample, JavaScript running in a browser will rely upon the browser's native Kerberos support so that should be pretty straightforward. In C#, you can use the WebClient class along with its UseDefaultCredentials property, it will have the same behaviour as in our Powershell example.

serwan gupta December 17, 2017

Thanks! @Bruno Vincent for the update. we will look into how to proceed on this.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events