wstcjmg created ZOOKEEPER-4839:
----------------------------------
Summary: When DigestMD5 is used to enable mandatory client
authentication,Users that do not exist can log in
Key: ZOOKEEPER-4839
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4839
Project: ZooKeeper
Issue Type: Bug
Components: security
Affects Versions: 3.9.2, 3.5.10
Reporter: wstcjmg
When DigestMD5 is used to enable mandatory client authentication. Consider the
following scenario: After successfully logging in with the correct user and
password for the first time, change the user to keep the correct password for
the last time, and you can still log in normally. I looked at both versions
3.5.10 and 3.9.2. See the class SaslServerCallbackHandler server-side code. A
global private variable called userName is defined, but in the
handleNameCallback method, if the given user name is not configured, it simply
returns without updating userName. This results in the handlePasswordCallback
method still using the userName of the last successful login to retrieve, and
naturally can find the last password, and the comparison is correct.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
