verson: springboot2.4.0 look this org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider#authenticate

try {
    user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
}
// Look here, I know that the username is not found here, but a bad credential is thrown here, 
// I want to know why, what I should get when the exception is caught is that the username is not found, not the bad credential
catch (UsernameNotFoundException ex) {
    this.logger.debug("Failed to find user '" + username + "'");
    if (!this.hideUserNotFoundExceptions) {
        throw ex;
    }
    throw new BadCredentialsException(this.messages
                                      .getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
}
Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");

Comment From: jzheaux

Hi, @zhengchalei, thanks for reaching out.

"Bad credentials" is a more generic error, which is considered more secure in this case, similar to why websites say "your username or your password is wrong".

You can read more in the JavaDoc for AbstractUserDetailsAuthenticationProvider#setHideUserNotFoundExceptions:

By default the AbstractUserDetailsAuthenticationProvider throws a BadCredentialsException if a username is not found or the password is incorrect. Setting this property to false will cause UsernameNotFoundExceptions to be thrown instead for the former. Note this is considered less secure than throwing BadCredentialsException for both exceptions.

For future reference, it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. If you feel like there's more to discuss about your question, please post to StackOverflow and update this issue with a link to the re-posted question (so that other people can find it).