Checks for an empty password before calling PlatformUser.authenticate() method from IBM JDK that could succeed in this situation. This has been a valid behavior of the underlying BPX4PWD callable service:
The name of a fullword that contains the length of the Pass parameter. This length must be between 1 and 8 characters for a password or PassTicket or between 9 and 100 characters for a password phrase. A length of zero indicates that the Pass parameter is to be ignored and causes a SURROGAT class check.
So it could succeed with an empty password in cases when the server user ID passed the SURROGAT class check.
Since it is a highly unexpected behavior that is documented three levels below the org.zowe.commons.zos.security.platform.PlatformUser.authenticate() documentation, the org.zowe.commons.zos.security.platformPlatformUser.authenticate() will fail with errno EINVAL (121). If the SURROGAT class check is needed in future then it will be implemented a special method to prevent this confusion.
Checks for an empty password before calling
PlatformUser.authenticate()method from IBM JDK that could succeed in this situation. This has been a valid behavior of the underlying BPX4PWD callable service:So it could succeed with an empty password in cases when the server user ID passed the
SURROGATclass check.Since it is a highly unexpected behavior that is documented three levels below the
org.zowe.commons.zos.security.platform.PlatformUser.authenticate()documentation, theorg.zowe.commons.zos.security.platformPlatformUser.authenticate()will fail with errnoEINVAL(121). If theSURROGATclass check is needed in future then it will be implemented a special method to prevent this confusion.Resolves #72