https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #4 from Mark Thomas <ma...@apache.org> --- Please read up on timing attacks. A Map lookup following by a return will be noticeably faster than the authentication process. Your proposed change would enable an attacker to determine: - if an account was locked - how many failed attempts it takes lock an account - how long the lock out period was Exposing that information is considered a (minor) security vulnerability. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org