Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
4.4.3
-
None
-
4.04
-
2
-
Severity 2 - Major
-
1
-
Description
Steps to reproduce:
- Set up JIRA, create issue TST-1
- Run the following command twice:, making sure to use the wrong password:
curl -i -u admin:notadminpassword http://localhost:8080/browse/TST-1
You should get a 401 Unauthorized HTTP status code and X-Seraph-LoginReason: AUTHENTICATED_FAILED in the response headers.
- Run the command again. You will get X-Seraph-LoginReason: AUTHENTICATION_DENIED in the response, meaning that the 2 failed logins have triggered CAPTCHA protection, even though 3 failed logins are required to trigger CAPTCHA protection .
Looks like Seraph's PasswordBasedLoginFilter and DefaultAuthenticator are stepping on each other's toes here. Why are they both responsible for calling ElevatedSecurityGuard.onFailedLoginAttempt(HttpServletRequest,String)?