Configuring Captcha for failed logins
If you have system administrator permissions, you can configure Confluence to impose a maximum number of repeated login attempts. After a given number of failed login attempts (the default is three) Confluence will display a Captcha form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks on the Confluence login screen.
Similarly, after three failed authentication attempts via the REST API, XML-RPC, or SOAP API endpoints, Captcha is automatically activated. Users must log in using the web interface and complete a captcha challenge before they can successfully invoke the API endpoints again.
For XML-RPC or SOAP API endpoints (deprecated since Confluence 5.5), an error message instructs the user to log in via the web interface. Meanwhile, the REST API endpoints will return a 401 error until the web login is completed.
On this page:
“Captcha” is a test that can distinguish a human being from an automated agent such as a web spider or robot. When Captcha is activated, users will need to recognize a distorted picture of a word, and must type the word into a text field. This is easy for humans to do, but very difficult for computers.
スクリーンショット:キャプチャ テストの例
ログイン失敗に対するキャプチャの有効化、無効化および設定
既定では、ログイン失敗に対するキャプチャは有効であり、ログイン失敗試行回数は 3 回に設定されています。
ログイン失敗に対するキャプチャの有効化、無効化、設定の方法は、
- [管理] を選択し、[一般設定] を選択します。
- Select Security Configuration from the left menu.
- 編集を選択します。
- キャプチャを有効にするには、
- Select the Enable checkbox next to CAPTCHA on login.
- Set the maximum number of failed logins next to Maximum Authentication Attempts Allowed. You must enter a number greater than zero.
- To disable Captcha, clear the Enable checkbox.
- [保存] を選択します。
スクリーンショット:ログイン失敗に対するキャプチャの設定
注意
- Disabling all password confirmation requests, including Captcha on login. Confluence installations that use a custom authentication mechanism may run into problems with the Confluence security measure that requires password confirmation. If necessary, you can set the
password.confirmation.disabled
system property to disable functionalities like Captcha, change of email address, and administrative actions that require password-based login or confirmation. See Recognized System Properties.