While looking at the SaslAuth plugin I noticed some inconsistencies in the code. I am not sure if I understand it correctly, please review the code and fix if necessary:

process(...) method.

There is a condition: if(session.isAuthorized()) {…} which if true, logs the user out and closes stream and TCP/IP connection but then there is no if-else statement or return from the method and it continues to process SASL requests. This seems like incorrect. The stream and connection would be closed anyway but processing SASL request in such a case is a waste of resources.