[ https://issues.apache.org/jira/browse/ZOOKEEPER-4839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856112#comment-17856112 ]
wstcjmg commented on ZOOKEEPER-4839: ------------------------------------ !image-2024-06-19-11-03-30-744.png! > When DigestMD5 is used to enable mandatory client authentication,Users that > do not exist can log in > --------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-4839 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4839 > Project: ZooKeeper > Issue Type: Bug > Components: security > Affects Versions: 3.5.10, 3.9.2 > Reporter: wstcjmg > Priority: Minor > Attachments: image-2024-06-19-11-03-30-744.png > > > When DigestMD5 is used to enable mandatory client authentication. Consider > the following scenario: After successfully logging in with the correct user > and password for the first time, change the user to keep the correct password > for the last time, and you can still log in normally. I looked at both > versions 3.5.10 and 3.9.2. See the class SaslServerCallbackHandler > server-side code. A global private variable called userName is defined, but > in the handleNameCallback method, if the given user name is not configured, > it simply returns without updating userName. This results in the > handlePasswordCallback method still using the userName of the last successful > login to retrieve, and naturally can find the last password, and the > comparison is correct. -- This message was sent by Atlassian Jira (v8.20.10#820010)