When DigestMD5 is used to enable mandatory client authentication,Users that do not exist can log in

When DigestMD5 is used to enable mandatory client authentication. Consider the following scenario: After successfully logging in with the correct user and password for the first time, change the user to keep the correct password for the last time, and you can still log in normally. I looked at both versions 3.5.10 and 3.9.2. See the class SaslServerCallbackHandler server-side code. A global private variable called userName is defined, but in the handleNameCallback method, if the given user name is not configured, it simply returns without updating userName. This results in the handlePasswordCallback method still using the userName of the last successful login to retrieve, and naturally can find the last password, and the comparison is correct.