syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [2/2] syncope git commit: Adding warning about not reporting user's security answer
Date Fri, 03 Mar 2017 07:24:43 GMT
Adding warning about not reporting user's security answer


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/2b775bb4
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/2b775bb4
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/2b775bb4

Branch: refs/heads/master
Commit: 2b775bb48d73d6ce4c4042ee2e5568164ffe62ee
Parents: a70efed
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Fri Mar 3 08:24:12 2017 +0100
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Fri Mar 3 08:24:32 2017 +0100

----------------------------------------------------------------------
 .../reference-guide/concepts/usersgroupsandanyobjects.adoc  | 9 +++++++++
 1 file changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/2b775bb4/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index ba14de6..a9aa2f9 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -111,6 +111,15 @@ The usage of security questions can be however disabled by setting the
`password
 <<configuration-parameters, below>> for details.
 ====
 
+[[password-reset-no-security-answer]]
+[WARNING]
+====
+Once provided via Enduser UI, the answers to security questions are *never* reported, neither
via REST or Admin UI to
+administrators, nor to end-users via Enduser UI.
+
+This to avoid any information disclosure which can potentially lead attackers to reset other
users' passwords.
+====
+
 [NOTE]
 In addition to the password reset feature, administrators can set a flag on a given user
so that he / she is forced to
 update their password value at next login.


Mime
View raw message