I recently implemented some security enhancements in one of the Java Spring-based Java applications, and I redefined the Spring Security class AbstractUserDetailsAuthenticationProviderto do some extra processing around user authentication. During this process, I realized that the inner class DefaultPreAuthenticationChecksis performing user account checks before the authentication provider using the methodadditionalAuthenticationCheckswhich performs password verification. If the user is disconnected, expired or blocked, an exception will be thrown, and therefore the corresponding messages will be displayed on the screen. For me, checking the user account and providing information about this account before the password is successfully verified is a glaring security risk, as it can determine if a user account exists. Does anyone know a good reason why Spring Security might have done this? Obviously, I can simply override the class DefaultPreAuthenticationChecksby creating my own dummy class using a method checkthat does nothing, but it's a shame that this should be done first.
Thanks in advance.
PS I found a question about a related note here , but no one seemed to ask a question about why this potential security flaw exists.
source
share