Jira retrying API call multiple times when authentication fails using basic authentication

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 8.5.7, 8.22.3, 9.6.0
    • Component/s: REST API
    • None
    • 8.05
    • 1
    • Severity 3 - Minor

      Issue Summary

      When sending an API call to Jira using basic authentication Jira is retrying the operation multiple times causing the account to lockout quickly

      This is reproducible on Data Center: (yes)

      Steps to Reproduce

      1. Monitor the atlassian-jira-security.log found in the <jira-home>/log directory
      2. Send an API call to Jira using basic authentication with bad credentials
        • Example API call: 
          curl -D- -u username:password -X GET -H "Content-Type: application/json" <baseURL>/rest/api/2/issue
      1. Check the atlassian-jira-security.log file and you will see multiple login attempts from the since API execution
      2. Sending the API call to jira multiple times will lockout the account more quickly than expected..

      This same behavior does not occur upon entering bad credentials when logging into Jira from the UI.

      Expected Results

      A single login attempt should be logged when executing an API call sent to Jira

      Actual Results

      The below exception is thrown in the atlassian-jira-security.log file:

      2023-03-02 16:02:43,687+0000 http-nio-8080-exec-9 anonymous 962x228x1 - XXXXXXXXXXXXXXXXX /rest/api/2/issue login : 'bigdave' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-03-02 16:02:43,700+0000 http-nio-8080-exec-9 anonymous 962x228x1 - XXXXXXXXXXXXXXXXX /rest/api/2/issue The user 'bigdave' has FAILED authentication.  Failure count equals 1
2023-03-02 16:02:43,721+0000 http-nio-8080-exec-9 anonymous 962x228x1 - XXXXXXXXXXXXXXXXX /rest/api/2/issue login : 'bigdave' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-03-02 16:02:43,738+0000 http-nio-8080-exec-9 anonymous 962x228x1 - XXXXXXXXXXXXXXXXX /rest/api/2/issue The user 'bigdave' has FAILED authentication.  Failure count equals 2

      Workaround

      Workaround 1

      • Disable basic authentication for REST API calls in Jira Administration > System > Authentication methods
      • Users will need to create and use a personal access token when sending an API call by following Using Personal Access Tokens

      Workaround 2

      • Increase the "Maximum Authentication Attempts Allowed" value, which is set ot a default of 3, to a higher value to account for the additional failed login attempts when a rest API call using basic authentication fails due to bad credentials.
        • Path: Jira Administration > System > General Configuration > "Edit setting

        1. image-2023-03-02-10-33-45-975.png
          image-2023-03-02-10-33-45-975.png
          102 kB

            Assignee:
            Unassigned
            Reporter:
            David McCoy
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: