Disallow blank password

[runnnt0]

In certain jaas / active directory configurations, it is possible to authenticate against AD without providing a password.

From http://webchat.freenode.net/rundeck ...

[10:41] gscheuler: I have been looking at jaas documentation and it seems "guest login" is a feature that mirrors my symptoms
[10:41] • User logs in with a blank password—the properties login module fails to authenticate the user, and authentication proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
[10:42] is there a way to disable this feature - or set a flag that basically disallows blank passwords in the password field?

[gschueler]

if forceBindingLogin="true" and the directory allows Anonymous binds, then a blank password will work

from: https://docs.oracle.com/javase/jndi/tutorial/ldap/faq/context.html

If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then an anonymous bind will occur even if the Context.SECURITY_AUTHENTICATION property was set to "simple". This is because for simple authentication, the LDAP requires the password to be nonempty. If a password is not supplied, then the protocol automatically converts the authentication to "none".

the login module needs to prevent blank password

[ypso]

bug is come back in rundeck 3 :(