-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
6.4-OD-11, 7.6.6, 8.17.1
-
6.04
-
40
-
Severity 2 - Major
-
3
-
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.
For the moment this bug(s) was only reported OnDemand and we do have some reasons to believe that is also related to the server load.
Expected behaviour: return a JSON response.
Problems:
- 200 means success and should never have an empty body. Empty body success responses are supposed to use code 204 – http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
- An empty body is an invalid JSON response, this not being allowed.
- If it is an authentication failure, this MUST return a 401 or 403 code.
- This is not a real authentication failure because we are 100% sure that the credentials are right (using basic_auth).
- If the server is not able to respond due to other causes it MUST reply with a 503 code and optionally with a Retry-After header that tell the client when to retry the request.
As stated above this bug uncovers several serious HTTP standard deviations, probably caused by several broken pieces of code.
It may be useful not remark this response header and the fact that, so far, all reports were happening while using basic_auth
'x-seraph-loginreason': 'OUT, AUTHENTICATED_FAILED'
Atlassian support suggested, as a temporary workaround, to use alternative authentication options. Still our tests proved that other auth ways are even more prone to fail. Also BASIC_AUTH is documented in several places as the recommended authentication to use with REST, that being one of the reasons we call it REST.
- is related to
-
JRACLOUD-65223 Logging into Tempo IOS causes user to be logged out from JIRA IOS
- Closed
-
JRASERVER-70468 As a Jira Administrator I want to configure user accounts for integration jobs with low login overhead
- Closed
-
SSE-633 Loading...
- relates to
-
JRACLOUD-41559 Some REST calls return 200 with no body and AUTHENTICATED_FAILED
- Closed
-
JRACLOUD-65801 All users are logged out of JIRA Cloud every 1 or 2 minutes
- Closed
-
CWD-4401 500 error when validating a concurrently invalidated SSO token
- Long Term Backlog
-
CWD-4342 Don't try to invalidate a session ID of an empty string
- Closed
-
PSR-389 Loading...
- is blocked by
-
PSR-115 Loading...
- links to