User without a password cause a 500 when authenticating

[seadowg]

Software and hardware versions

Ubuntu 18.04 x64 on DigitalOcean, Aggregate v2.0.3, Java OpenJDK 1.8.0_212

Problem description

Trying to authenticate as a user that hasn't had a password set for them results in a 500 error.

This actually shows to the user in Collect as a 500 but Briefcase shows the standard "incorrect credentials" error.

Steps to reproduce the problem

I found this playing around in Collect but the easiest way to reproduce is:

1. Log in as an Admin to Aggregate on the web
2. Add a new user with just a username - do not set a password
3. Log out
4. Log back in as your new user

You'll see a 500 error page.

Expected behavior

Could go a few of ways on this:

1. Aggregate accepts blank password users and so either ignores the submitted password or matches "". Not sure that's a great idea.
2. Aggregate doesn't allow the user to create a user without a password - it looks like this would require a slightly different user creation flow.
3. Aggregate sends a different error back in this case so the user knows they have not been setup correctly.

Other information

Here's the stack trace:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: User test does not have a password configured. You must close and re-open your browser to clear this error.
	org.opendatakit.common.security.spring.UserDetailsServiceImpl.loadUserByUsername(UserDetailsServiceImpl.java:172)
	org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:159)
	org.opendatakit.common.security.spring.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:37)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.opendatakit.common.security.spring.OutOfBandUserFilter.doFilter(OutOfBandUserFilter.java:102)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.opendatakit.common.security.spring.Oauth2ResourceFilter.doFilter(Oauth2ResourceFilter.java:344)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:157)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

And a screenshot: