mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-06 04:02:19 +00:00
915b2acf73
Previously authenticating a user could take significantly longer than determining that a user does not exist. This was due to the fact that only users that were found would use the password encoder and comparing a password can take a significant amount of time. The difference in the time required could allow a side channel attack that reveals if a user exists. The code has been updated to do comparison against a dummy password even when the the user was not found. Conflicts: core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java