Authentication Filter intercepting POST calls into login.action

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After upgrading to Atlassian Confluence Data Center / Server to 7.13.18, 7.19.10, 8.3.1, 8.4.0 or newer, you see the following WARN thrown in the <home-dir>/logs/atlassian-confluence.log files:

1
2

2024-01-28 15:00:00,000 WARN [http-nio-8090-exec-1] [web.filter.authentication.AuthenticationFilter] doFilterInternal POST method is not supported, thus sending '303 See Other' redirect
 -- url: /confluence/login.action | traceId: 4f7ee02f2bfcbd5a | userName: <username>

Environment

Atlassian Confluence Data Center with SSO enabled.

Diagnosis

The web.filter.authentication.AuthenticationFilter reviews POST requests into login.action, checks the authentication configuration for Confluence, and either rejects and redirects the request or allows it through. This check is based on the authentication method selected (General Configuration → Authentication Method) when certain conditions exist:

If both SSO and Basic authentication are enabled:
- POST calls are not allowed into /<contextpath>/login.action
- Redirect occurs (as a GET request) and a '303 SEE_OTHER' HTTP code is logged.
If only SSO authentication is enabled:
- POST calls are not allowed into /<contextpath>/login.action
- Redirect occurs (as a GET request) and a '303 SEE_OTHER' HTTP code is logged.
If only Basic authentication login is enabled:
- POST calls are allowed into /<contextpath>/login.action
- No redirect occurs and a message 'Skipping because of product specific configuration' is logged.

The setting 'Use Basic Auth for REST API' is not affected by these scenarios as this uses GET requests and user tokens to auth the user. See: Basic auth for REST APIs

Cause

Direct POST calls which hit /<contextpath>/login.action endpoints are no longer allowed when SSO is one of the authentication methods enabled. Instead, these POST requests are updated to GET requests which point to to the same POST URL to continue the auth flow as a GET. This is intended behavior.

Solution

If you are seeing a '303 See Other' logged in the <home-dir>/logs/atlassian-confluence.log then there is a POST request (or another call method, the log should tell you) that is being intercepted. You can check the Confluence access logs using the timestamp in the atlassian-confluence.log for more details on the call into Confluence.

We have observed this error with the Comala Remote Publishing plugin. Appfire is aware of the issue, please check the Marketplace listing for updates when they are available and update accordingly.

Updated on March 24, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support