root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 18 Packages Projects Releases Wiki Activity
spring-security/core
History
Rob Winch 915b2acf73 SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found 
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.

The code has been updated to do comparison against a dummy password
even when the the user was not found.

Conflicts:

	core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
 		2012-10-08 07:45:02 -05:00
..
src SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found 2012-10-08 07:45:02 -05:00
core.gradle Updates for 3.0.x autorepo support 2012-10-02 11:20:40 -05:00
pom.xml Updates for 3.0.x autorepo support 2012-10-02 11:20:40 -05:00
template.mf Updates for 3.0.x autorepo support 2012-10-02 11:20:40 -05:00