[
https://issues.apache.org/jira/browse/ZOOKEEPER-4839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856112#comment-17856112
]
wstcjmg commented on ZOOKEEPER-4839:
------------------------------------
!image-2024-06-19-11-03-30-744.png!
> When DigestMD5 is used to enable mandatory client authentication,Users that
> do not exist can log in
> ---------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4839
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4839
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.5.10, 3.9.2
> Reporter: wstcjmg
> Priority: Minor
> Attachments: image-2024-06-19-11-03-30-744.png
>
>
> When DigestMD5 is used to enable mandatory client authentication. Consider
> the following scenario: After successfully logging in with the correct user
> and password for the first time, change the user to keep the correct password
> for the last time, and you can still log in normally. I looked at both
> versions 3.5.10 and 3.9.2. See the class SaslServerCallbackHandler
> server-side code. A global private variable called userName is defined, but
> in the handleNameCallback method, if the given user name is not configured,
> it simply returns without updating userName. This results in the
> handlePasswordCallback method still using the userName of the last successful
> login to retrieve, and naturally can find the last password, and the
> comparison is correct.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
