Users with null passwords may log in using an empty string

Steps to reproduce

Steps to reproduce:
1. Create a user in the user database with a null password (to prevent login)
2. Now go to the login screen and log in with the user's login name and an empty password

Actual Results:

The user is logged in by Spring Security

Expected Results:

The user is not logged in

Status

Assignee

Lukas Rohner

Reporter

Tobias Wunden

Severity

Security

Tags (folksonomy)

Components

Fix versions

Affects versions

1.4.0

Priority

Critical
Configure