Java – why does spring security use the default pre authentication check?
I recently implemented some security improvements in a spring based Java application of my employer, and I have covered the abstractuserdetailsauthenticationprovider class of spring security to do some additional processing around user authentication During this process, I realized that the defaultpreauthenticationchecks internal class performs user account checks before the authentication provider runs the additionalauthenticationchecks method that validates the password If the user is disabled, expired or locked, an exception will be thrown, so the relevant message will be displayed on the screen For me, checking the user account and providing the details of this account before successfully verifying the password is an obvious security risk because it may expose the existence of the user account Does anyone know a good reason why spring security might do things this way? Obviously, I can override the defaultpreauthenticationchecks class by creating my own virtual class using a check method that does nothing, but unfortunately, this must be done first
Thank you in advance
PS: I found a problem in the relevant note here, but no one seems to ask why this potential security vulnerability exists
Solution
I think I'm a little late at the party, but in case someone is still thinking, the community actually has discussed this issue before
Quote from developers
tl; Dr: the community is aware of this problem, but they don't think it is a potential security vulnerability. On the contrary, they think it depends on "how you interpret different status flags". Yes, It's easy to change the default behavior, using setpostauthenticationchecks (userdetailschecker postauthenticationchecks) and setpreauthenticationchecks (userdetailschecker preauthenticationchecks)