Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-26196

Failed authentication in BASIC auth requests causes CAPTCHA counter to be incremented twice

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Medium
    • None
    • 4.4.3
    • None

    Description

      Steps to reproduce:

      • Set up JIRA, create issue TST-1
      • Run the following command twice:, making sure to use the wrong password:
      curl -i -u admin:notadminpassword http://localhost:8080/browse/TST-1

      You should get a 401 Unauthorized HTTP status code and X-Seraph-LoginReason: AUTHENTICATED_FAILED in the response headers.

      • Run the command again. You will get X-Seraph-LoginReason: AUTHENTICATION_DENIED in the response, meaning that the 2 failed logins have triggered CAPTCHA protection, even though 3 failed logins are required to trigger CAPTCHA protection .

      Looks like Seraph's PasswordBasedLoginFilter and DefaultAuthenticator are stepping on each other's toes here. Why are they both responsible for calling ElevatedSecurityGuard.onFailedLoginAttempt(HttpServletRequest,String)?

      Attachments

        Activity

          People

            Unassigned Unassigned
            lmiranda Luis Miranda (Inactive)
            Votes:
            6 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: