Solved. Sadly that's how it works. It's stated as below in Oracle docs.
If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.
This causes serious security breach. But, I guess it is left to the application to validate.