diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/CredentialRestApi.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/CredentialRestApi.java
index b1a4d17a837..6904a32a28b 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/CredentialRestApi.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/CredentialRestApi.java
@@ -63,10 +63,15 @@ public CredentialRestApi(Credentials credentials) {
   @PUT
   public Response putCredentials(String message) throws IOException {
     Map<String, String> messageMap = gson.fromJson(message,
-            new TypeToken<Map<String, String>>(){}.getType());
+      new TypeToken<Map<String, String>>(){}.getType());
     String entity = messageMap.get("entity");
     String username = messageMap.get("username");
     String password = messageMap.get("password");
+
+    if (entity == null || username == null || password == null) {
+      return new JsonResponse(Status.BAD_REQUEST, "", "").build();
+    }
+
     String user = SecurityUtils.getPrincipal();
     logger.info("Update credentials for user {} entity {}", user, entity);
     UserCredentials uc = credentials.getUserCredentials(user);
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/rest/CredentialsRestApiTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/rest/CredentialsRestApiTest.java
new file mode 100644
index 00000000000..674c47e5f7c
--- /dev/null
+++ b/zeppelin-server/src/test/java/org/apache/zeppelin/rest/CredentialsRestApiTest.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zeppelin.rest;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.httpclient.methods.PutMethod;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
+
+public class CredentialsRestApiTest extends AbstractTestRestApi {
+  Gson gson = new Gson();
+
+  @BeforeClass
+  public static void init() throws Exception {
+    AbstractTestRestApi.startUp();
+  }
+
+  @AfterClass
+  public static void destroy() throws Exception {
+    AbstractTestRestApi.shutDown();
+  }
+
+  @Test
+  public void testInvalidRequest() throws IOException {
+    String jsonInvalidRequestEntityNull = "{\"entity\" : null, \"username\" : \"test\", \"password\" : \"testpass\"}";
+    String jsonInvalidRequestNameNull = "{\"entity\" : \"test\", \"username\" : null, \"password\" : \"testpass\"}";
+    String jsonInvalidRequestPasswordNull = "{\"entity\" : \"test\", \"username\" : \"test\", \"password\" : null}";
+    String jsonInvalidRequestAllNull = "{\"entity\" : null, \"username\" : null, \"password\" : null}";
+
+    PutMethod entityNullPut = httpPut("/credential", jsonInvalidRequestEntityNull);
+    entityNullPut.addRequestHeader("Origin", "http://localhost");
+    assertThat(entityNullPut, isBadRequest());
+    entityNullPut.releaseConnection();
+
+    PutMethod nameNullPut = httpPut("/credential", jsonInvalidRequestNameNull);
+    nameNullPut.addRequestHeader("Origin", "http://localhost");
+    assertThat(nameNullPut, isBadRequest());
+    nameNullPut.releaseConnection();
+
+    PutMethod passwordNullPut = httpPut("/credential", jsonInvalidRequestPasswordNull);
+    passwordNullPut.addRequestHeader("Origin", "http://localhost");
+    assertThat(passwordNullPut, isBadRequest());
+    passwordNullPut.releaseConnection();
+
+    PutMethod allNullPut = httpPut("/credential", jsonInvalidRequestAllNull);
+    allNullPut.addRequestHeader("Origin", "http://localhost");
+    assertThat(allNullPut, isBadRequest());
+    allNullPut.releaseConnection();
+  }
+
+}
+
diff --git a/zeppelin-web/src/app/credential/credential.controller.js b/zeppelin-web/src/app/credential/credential.controller.js
index 4bb89f044d5..11dff3e1aa3 100644
--- a/zeppelin-web/src/app/credential/credential.controller.js
+++ b/zeppelin-web/src/app/credential/credential.controller.js
@@ -18,6 +18,10 @@ angular.module('zeppelinWebApp').controller('CredentialCtrl', function($scope, $
                                                                          $http, baseUrlSrv) {
   $scope._ = _;
 
+  $scope.credentialEntity = '';
+  $scope.credentialUsername = '';
+  $scope.credentialPassword = '';
+  
   $scope.updateCredentials = function() {
     $http.put(baseUrlSrv.getRestApiBase() + '/credential',
       { 'entity': $scope.credentialEntity,