Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3719

LdapGroupRealm allows to login with empty password

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 0.8.0, 0.9.0, 0.8.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      We use LDAPGroupRealm for authentication.

      Not sure how we didn't notice, but just entering empty password allows to login
      If we enter an incorrect password, it doesn't let to login as expected. 
      But empty password field somehow treated separately and let's to login in any case.

      Hopefully it's just a misconfiguration on our side, but if it's not, it looks like a big security hole.

      Looking at the code, there should be an exception here

      https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/LoginRestApi.java#L165

      but it doesn't happen.

      Changed log4j logging to DEBUG but still don't see any traces why this happens. 

      Can somebody else please try to see if they can reproduce?

       

        Attachments

          Activity

            People

            • Assignee:
              vrathor-hw Vipin Rathor
              Reporter:
              Tagar Ruslan Dautkhanov
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: