User enumeration security issue when external authentication server is used

Issue Summary

This is reproducible on all Atlassian on-prem products that use LDAP (or any other external server for authentication).

It is possible to find out which usernames exists in the system and which do not exist by studying the response times it takes for a server to process a login attempt. When an external authentication service is involved (e.g. LDAP), should the user account exist in the database, Atlassian application will have to query it with the supplied username/password, and this involves a network delay, which is even more pronounced if LDAP server is in a different network segment or under load. If a user account does not exist in the database, Atlassian application does not need to query the external auth service, and can reply back immediately to the user with the result. By comparing the timings in these two cases, one can clearly see the distinction between existing and non-existing usernames in the system.

Steps to Reproduce

1. Configure an Atlassian product connected to Crowd with LDAP for authentication. Make sure LDAP server is located in the other newtork segment or is under load so the requests to it take time.
2. Send POST requests to /login.jsp with existing and non-existing usernames and compare timings.

Expected Results

It should not be possible to determine which usernames exists or don't from server timings.

Actual Results

You can clearly see the difference in timings when a username exists or not.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available