syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [1/2] syncope git commit: Adding warning about not reporting user's security answer
Date Fri, 03 Mar 2017 07:24:42 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X 767c30307 -> a56ef7b1e
  refs/heads/master a70efed4c -> 2b775bb48


Adding warning about not reporting user's security answer


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a56ef7b1
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a56ef7b1
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a56ef7b1

Branch: refs/heads/2_0_X
Commit: a56ef7b1e80a24b8a3d482d1e31dd0fbc71e22c4
Parents: 767c303
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Fri Mar 3 08:24:12 2017 +0100
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Fri Mar 3 08:24:12 2017 +0100

----------------------------------------------------------------------
 .../reference-guide/concepts/usersgroupsandanyobjects.adoc  | 9 +++++++++
 1 file changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/a56ef7b1/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index ba14de6..a9aa2f9 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -111,6 +111,15 @@ The usage of security questions can be however disabled by setting the
`password
 <<configuration-parameters, below>> for details.
 ====
 
+[[password-reset-no-security-answer]]
+[WARNING]
+====
+Once provided via Enduser UI, the answers to security questions are *never* reported, neither
via REST or Admin UI to
+administrators, nor to end-users via Enduser UI.
+
+This to avoid any information disclosure which can potentially lead attackers to reset other
users' passwords.
+====
+
 [NOTE]
 In addition to the password reset feature, administrators can set a flag on a given user
so that he / she is forced to
 update their password value at next login.


Mime
View raw message