kezhuw commented on code in PR #2176:
URL: https://github.com/apache/zookeeper/pull/2176#discussion_r1704913717
##########
zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java:
##########
@@ -90,6 +90,11 @@ private void handleNameCallback(NameCallback nc) {
// check to see if this user is in the user password database.
if (credentials.get(nc.getDefaultName()) == null) {
LOG.warn("User '{}' not found in list of DIGEST-MD5
authenticateable users.", nc.getDefaultName());
+ // ZOOKEEPER-4839
+ // Incorrect usernames also need to be stored
+ // in order to clear the usernames of previously
+ // successfully logged-in users.
+ userName = nc.getDefaultName();
Review Comment:
I saw one `SaslServerCallbackHandler` was shared among multiple concurrent
`ServerCnxn`s. I think we probably should resort to some form of copy/clone to
not share mutable state among multiple `ServerCnxn`s.
This applies to `SaslQuorumServerCallbackHandler` too.
##########
zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandlerTest.java:
##########
@@ -0,0 +1,43 @@
+package org.apache.zookeeper.server.auth;
+
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
+import javax.security.auth.login.Configuration;
+import org.junit.Test;
+
+public class SaslServerCallbackHandlerTest {
+
+ @Test
+ public void wrongUserNameShouldClearUserCredential() throws IOException,
UnsupportedCallbackException {
+ Configuration configuration = mock(Configuration.class);
+ Map<String, String> userCredentials = new HashMap<>();
+ userCredentials.put("user_exist_user", "password");
+ AppConfigurationEntry appConfigurationEntry = new
AppConfigurationEntry("test-module", LoginModuleControlFlag.REQUIRED,
userCredentials);
+ when(configuration.getAppConfigurationEntry("Server")).thenReturn(new
AppConfigurationEntry[]{appConfigurationEntry});
Review Comment:
It would be nice to avoid mock. I saw multiple "Sasl*Test". I think they
might be helpful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
