Details
-
Bug
-
Resolution: Fixed
-
Highest
-
None
-
4.1
-
4.01
-
Description
TO CUSTOMERS WHO MAY BE EXPERIENCING THIS ISSUE
This problem is caused because JIRA 4.1 add a new entry into seraph-config.xml.
<elevatedsecurityguard class="com.atlassian.jira.security.login.JiraElevatedSecurityGuard"/>
This line controls the brute force password protection facility.
Customers who simply copy the old seraph-config.xml over the one that ship with JIRA will in effect remove this entry.
People will need to re-add this line in order for the LoginGadget to work as expected.
4.1.2 has new code to ensure that this configuration is checked and messages will be logged and placed into the system info page.
The LoginGadget has also been made less brittle to this missing entry.
However it is essential that this entry be present since it controls the brute force password protection in JIRA 4.1 and you system is less secure without it.
Original Description
Several users in support have reported that when they upgrade to 4.1 that the login gadget stops working. The behavior they see is:
- login.jsp works fine.
- attempting to login via gadget results in the gadget giving a failure message. If you simply refresh the page, however, you have been logged in.
This appears to be a side effect of the changes to add CAPTCHA in 4.1 and the resulting changes to the login gadget. I don't know why Crowd/Seraph are behaving like this but what happens is that:
- a user gets put into the session
- the authstatuskey is success
- the lastLoginResult is null
In 4.0 we just checked if there was a user in the session to declare "login succeeded". Now we look at lastLoginResult, which is null for reasons yet unknown.
WORKAROUND : To any customers affected by this bug, the work around is to use the Login link in the top right corner of the page. This is a link to login.jsp and this is know to work as expected.
Attachments
Issue Links
- causes
-
-
- Closed
-
