https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Please read up on timing attacks.

A Map lookup following by a return will be noticeably faster than the
authentication process.

Your proposed change would enable an attacker to determine:
- if an account was locked
- how many failed attempts it takes lock an account
- how long the lock out period was

Exposing that information is considered a (minor) security vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to