[
https://issues.apache.org/jira/browse/OAK-11610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936575#comment-17936575
]
Konrad Windszus commented on OAK-11610:
---------------------------------------
Seems that user without password leads to using {{UserIdCredentials}}
(https://github.com/apache/jackrabbit-oak/blob/709fab2f6506336e6eb0002257bee125d689d9ef/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java#L99)
which does not support authentication via
https://github.com/apache/jackrabbit-oak/blob/709fab2f6506336e6eb0002257bee125d689d9ef/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java#L99.
So indeed null/empty string given as password seems to be valid and lead to
creation of a special user (which cannot be used for authentication purposes).
> Clarify javadoc of o.a.j.api.security.user.UserManager.createUser()
> -------------------------------------------------------------------
>
> Key: OAK-11610
> URL: https://issues.apache.org/jira/browse/OAK-11610
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api
> Affects Versions: 1.76.0
> Reporter: Konrad Windszus
> Priority: Major
>
> Currently the javadoc in
> https://github.com/apache/jackrabbit-oak/blob/709fab2f6506336e6eb0002257bee125d689d9ef/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/UserManager.java#L170-L171
> states
> bq. Creates an User for the given userID / password pair; neither of the
> specified parameters can be null
> However the {{password}} parameter is explicitly marked as {{Nullable}}.
> So is null allowed or not? If yes, what happens if null is passed. Can one
> authenticate then without providing a password?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
