tkiran opened a new pull request, #21301: URL: https://github.com/apache/kafka/pull/21301
This PR fixes a critical authentication bypass in PlainLoginModule, where login(), commit(), and logout() previously returned true unconditionally and did not perform any JAAS-compliant validation. In such a configuration, any authentication attempt could be treated as successful, effectively bypassing authentication. Changes Store Subject and options in instance fields and introduce a loginSucceeded flag to track successful authentication. Update initialize(...) to assign these fields while preserving the existing behavior of adding username and password from options into the subject’s credentials. Change login() to: Validate that username and password are present and non-empty in options. Verify that the Subject contains these credentials in public/private credentials. Throw LoginException on any validation failure, and only set loginSucceeded = true on success. Change logout() to: Return false if no successful login occurred. On successful login, remove the configured credentials from the subject and reset loginSucceeded, returning true. Change commit() to return loginSucceeded and throw LoginException as per JAAS semantics. Change abort() to: Return false if no successful login occurred. Roll back by removing credentials from the subject and resetting loginSucceeded when aborting an in-progress login. Add a helper method to safely remove credentials from the subject without concurrent modification. Security impact Ensures that authentication cannot silently succeed without valid, configured credentials. Aligns the module with JAAS best practices by using LoginException for failures, tracking login state, and cleaning up credentials on logout/abort. Addresses CWE-287 (Improper Authentication) and removes the identified AuthBypass condition. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
