[jira] [Created] (ZEPPELIN-3719) LdapGroupRealm allows to login with empty password

Ruslan Dautkhanov (JIRA) Wed, 15 Aug 2018 11:05:17 -0700

Ruslan Dautkhanov created ZEPPELIN-3719:
-------------------------------------------


             Summary: LdapGroupRealm allows to login with empty password
                 Key: ZEPPELIN-3719
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3719
             Project: Zeppelin
          Issue Type: Bug
          Components: security
    Affects Versions: 0.8.0
            Reporter: Ruslan Dautkhanov


We use LDAPGroupRealm for authentication.

Not sure how we didn't notice, but just entering *empty* password allows to 
login (!)

Hopefully it's just a misconfiguration on our side, but if it's not, it looks 
like a big security hole.

Looking at the code, there should be an exception here

[https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/LoginRestApi.java#L165]

but it doesn't happen. 

Changed log4j logging to DEBUG but still don't see any traces why this happens. 

Can somebody else please try to see if they can reproduce?

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (ZEPPELIN-3719) LdapGroupRealm allows to login with empty password

Reply via email to