Intermittent account locking from brute force protection

adnan.khan · January 6, 2026, 5:36am

Hi,

Jmix 1.5 version

Brute force protection locks accounts after invalid login patterns, like multiple wrong passwords in a short time. It sometimes skips locking and user can try more than thresholds attempts without locking user.


jmix.security.bruteforceprotection.enabled = true
jmix.security.bruteforceprotection.max-login-attempts-number = 3
jmix.security.bruteforceprotection.block-interval = 120
jmix.security.bruteforceprotection.use-system-context = true
jmix.security.bruteforceprotection.apply-to-all-users = true

shchienko · January 6, 2026, 7:20am

Hello @adnan.khan,

Does the problem reproduce consistently? Please clarify under what conditions it is possible to make a greater number of password entry attempts?

We have taken note of your question and will try to resolve the problem.

Regards,
Nikita

adnan.khan · January 7, 2026, 6:43am

@shchienko

We have checked this in incognito mode in chrome browser it is working fine.