Skip to end of metadata
Go to start of metadata



Table of content

Back to admin guide

Secure additional URLs

URL filter configuration

404 - Page not found

Add a custom filter

We did our best to secure all sensitive user data within Confluence and Linchpin. But there are many third-party apps which provide their own functions and may expose too much information in an extranet.

Therefore we let you choose to secure those functions by simply blocking them for extranet users.

A URL (function) is blocked, if the user

  • is assigned to at least one extranet space AND
  • is not a user or space manager in at least one extranet space AND
  • is not a Confluence administrator AND
  • the visibility configuration is set to "Global and Space Administrators and Extranet User Managers"

To add a custom filter, enter the URL to be blocked in the appropriate. You may skip the base URL and the context path.

For example instead of http://yourinstance.de/confluence/browsepeople.action you may simply enter /browsepeople.action

(warning) There are certain URLs that are not able to be blocked, as they may break your Confluence instance:

  • /admin/*
  • /download/*
  • /images/*
  • /plugins/servlet/upm

Blocking any of these will mean the user sees a "404 - Page not found" error (not a "No Permission" error). This way there is no information exposed about the existence of a function within your instance.

Use a wildcard

To block several extensions with the same URL base you may use wildcards (asterisks).

For example if you enter /plugin/example* the following URLs will be blocked:

  • /plugin/example
  • /plugin/example/page
  • /plugin/example/page/childpage

These URLs will NOT be blocked:

  • /plugin/extra
  • /plugin/extra/page

Username placeholders

Some URLs contain a dynamic username (e.g. to fetch data for a specific user). For that you can add a placeholder in the URL mask and the app will check if you are allowed to see the specified user.

Add the key word {username} into your URL.

For example if you enter /plugin/sensitivedata/{username} the app will check visibility restrictions for the actual value in place of {username}.

When the URL visited ends in /plugin/sensitivedata/extranetuser1, if the visitor is not allowed to see this user, the content will be blocked.

You can use query parameters, like /plugin/userdata?username={username}. You can check the visibility for a specific user, for example, when you go to the URL ending with /plugin/userdata?username=extranetuser1.


  • No labels

This content was last updated on 02/28/2019.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete. Please click this link if you want us to update this page. Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert-media.net if you are in doubt, have a question, suggestion, or want changes from us.