mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-11 21:03:31 +00:00
c076f0f2e1
Previously authenticating a user could take significantly longer than determining that a user does not exist. This was due to the fact that only users that were found would use the password encoder and comparing a password can take a significant amount of time. The difference in the time required could allow a side channel attack that reveals if a user exists. The code has been updated to do comparison against a dummy password even when the the user was not found.