DaoAuthenticationProvider protects against timing attacks by encoding an internally-generated password in lieu of the user's password when the user is not found, allowing both found and not-found paths to take approximately the same time.
It would be nice to have this noted in https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/dao-authentication-provider.html and explained in https://docs.spring.io/spring-security/reference/servlet/exploits/index.html.
Some notes about it to consider:
DaoAuhenticationProvider uses whatever password encoder that the website uses for users, giving a srong guarantee that the not-found and found paths will take the same order-of-magnitude time to execute- There are limits to when this same timing is plausible, though. For example, a database that has more than one kind of password hash in it, Spring Security cannot anticipate how long to take in the not-found scenario since there are multiple found scenarios that take orders of magnitude different amounts of time. The best defense here is to upgrade your users passwords to a modern password algorithm.
DaoAuthenticationProviderprotects against timing attacks by encoding an internally-generated password in lieu of the user's password when the user is not found, allowing both found and not-found paths to take approximately the same time.It would be nice to have this noted in https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/dao-authentication-provider.html and explained in https://docs.spring.io/spring-security/reference/servlet/exploits/index.html.
Some notes about it to consider:
DaoAuhenticationProvideruses whatever password encoder that the website uses for users, giving a srong guarantee that the not-found and found paths will take the same order-of-magnitude time to execute