We currently have Jira Server version 7.12.0 loaded and it is tied into our LDAP server. When users go to login to the server and fat finger their password the login page just sits there with the spinning icon and doesn't do anything. When I look under the atlassian-jira-security.log it is saying that the user tried to log in but they do not have USE permissions or weren't found.
We had the user reset their password in ad and everything worked great then. However, my question is why doesn't the login splash page tell the user they entered their password in wrong? Any thoughts/suggestions or tips on what I can do to resolve that would be greatly appreciated.
Because that would give an attacker the ability to get a complete list of all your user IDs to make an attack on your system easier.
However, there is also something wrong with your Jira - when a user gets the login wrong, it should return them to the login page. You should work out why it's failing to do that - do you have add-ons that inject javascript or any hacks?
No, we don't have any addon's that inject any javascript or any hacks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok, you'll need to read the logs and check what the browser is doing as it fails to return bad logins to the login screen.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.