mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-07 20:52:13 +00:00
f5fc94e1be
Previously authenticating a user could take significantly longer than determining that a user does not exist. This was due to the fact that only users that were found would use the password encoder and comparing a password can take a significant amount of time. The difference in the time required could allow a side channel attack that reveals if a user exists. The code has been updated to do comparison against a dummy password even when the the user was not found.