Child pages
  • Administration Guide 2.3 - Extended Restrictions
Skip to end of metadata
Go to start of metadata



Table of content

Secure additional URLs

URL filter configuration

404 - Page not found

Add a custom filter

We did our best to secure all sensitive user data within Confluence and Linchpin. But there are many third-party apps which provide their own functions and may expose too much information in an extranet.

Therefore we let you choose to secure those functions by simply blocking them for extranet users.

A URL (function) is blocked, if the user

  • is assigned to at least one extranet space AND
  • is not a user or space manager in at least one extranet space AND
  • is not a Confluence administrator AND
  • the visibility configuration is set to "Global and Space Administrators and Extranet User Managers"

To add a custom filter, enter the URL to be blocked in the appropriate. You may skip the base URL and the context path.

For example instead of http://yourinstance.de/confluence/browsepeople.action you may simply enter /browsepeople.action

(warning) There are certain URLs that are not able to be blocked, as they may break your Confluence instance:

  • /admin/*
  • /download/*
  • /images/*
  • /plugins/servlet/upm

Blocking any of these will mean the user sees a "404 - Page not found" error (not a "No Permission" error). This way there is no information exposed about the existence of a function within your instance.


Use a wildcard

To block several extensions with the same URL base you may use wildcards (asterisks).

For example if you enter /plugin/example* the following URLs will be blocked:

  • /plugin/example
  • /plugin/example/page
  • /plugin/example/page/childpage

These URLs will NOT be blocked:

  • /plugin/extra
  • /plugin/extra/page

Username placeholders

Some URLs contain a dynamic username (e.g. to fetch data for a specific user). For that you can add a placeholder in the URL mask and the app will check if you are allowed to see the specified user.

Add the key word {username} into your URL.

For example if you enter /plugin/sensitivedata/{username} the app will check visibility restrictions for the actual value in place of {username}.

When the URL visited ends in /plugin/sensitivedata/extranetuser1, if the visitor is not allowed to see this user, the content will be blocked.

You can use query parameters, like /plugin/userdata?username={username}. You can check the visibility for a specific user, for example, when you go to the URL ending with /plugin/userdata?username=extranetuser1.


  • No labels