Details
-
Bug
-
Status: Open
-
Blocker
-
Resolution: Unresolved
-
0.8.0, 0.8.1, 0.9.0
-
None
-
None
Description
We use LDAPGroupRealm for authentication.
Not sure how we didn't notice, but just entering empty password allows to login
If we enter an incorrect password, it doesn't let to login as expected.
But empty password field somehow treated separately and let's to login in any case.
Hopefully it's just a misconfiguration on our side, but if it's not, it looks like a big security hole.
Looking at the code, there should be an exception here
but it doesn't happen.
Changed log4j logging to DEBUG but still don't see any traces why this happens.
Can somebody else please try to see if they can reproduce?