[2/2] syncope git commit: Adding warning about not reporting user's security answer

Thu, 02 Mar 2017 23:25:35 -0800 

Adding warning about not reporting user's security answer


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/2b775bb4
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/2b775bb4
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/2b775bb4

Branch: refs/heads/master
Commit: 2b775bb48d73d6ce4c4042ee2e5568164ffe62ee
Parents: a70efed
Author: Francesco Chicchiriccò <ilgro...@apache.org>
Authored: Fri Mar 3 08:24:12 2017 +0100
Committer: Francesco Chicchiriccò <ilgro...@apache.org>
Committed: Fri Mar 3 08:24:32 2017 +0100

----------------------------------------------------------------------
 .../reference-guide/concepts/usersgroupsandanyobjects.adoc  | 9 +++++++++
 1 file changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/2b775bb4/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
----------------------------------------------------------------------
diff --git 
a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc 
b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index ba14de6..a9aa2f9 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -111,6 +111,15 @@ The usage of security questions can be however disabled by 
setting the `password
 <<configuration-parameters, below>> for details.
 ====
 
+[[password-reset-no-security-answer]]
+[WARNING]
+====
+Once provided via Enduser UI, the answers to security questions are *never* 
reported, neither via REST or Admin UI to
+administrators, nor to end-users via Enduser UI.
+
+This to avoid any information disclosure which can potentially lead attackers 
to reset other users' passwords.
+====
+
 [NOTE]
 In addition to the password reset feature, administrators can set a flag on a 
given user so that he / she is forced to
 update their password value at next login.

Reply via email to