Ruslan Dautkhanov created ZEPPELIN-3719:
-------------------------------------------
Summary: LdapGroupRealm allows to login with empty password
Key: ZEPPELIN-3719
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3719
Project: Zeppelin
Issue Type: Bug
Components: security
Affects Versions: 0.8.0
Reporter: Ruslan Dautkhanov
We use LDAPGroupRealm for authentication.
Not sure how we didn't notice, but just entering *empty* password allows to
login (!)
Hopefully it's just a misconfiguration on our side, but if it's not, it looks
like a big security hole.
Looking at the code, there should be an exception here
[https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/LoginRestApi.java#L165]
but it doesn't happen.
Changed log4j logging to DEBUG but still don't see any traces why this happens.
Can somebody else please try to see if they can reproduce?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
