[
https://issues.apache.org/jira/browse/SYNCOPE-1966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18078118#comment-18078118
]
ASF subversion and git services commented on SYNCOPE-1966:
----------------------------------------------------------
Commit d102f47ae64fe23ee870f88abf4912e701d4ffe9 in syncope's branch
refs/heads/4_1_X from Francesco Chicchiriccò
[ https://gitbox.apache.org/repos/asf?p=syncope.git;h=d102f47ae6 ]
[SYNCOPE-1966] Do not include security sensitive information in returned UserTO
(#1371)
> Do not include security sensitive information in returned UserTO payloads
> -------------------------------------------------------------------------
>
> Key: SYNCOPE-1966
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1966
> Project: Syncope
> Issue Type: Task
> Components: common, console, core
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Priority: Major
> Labels: rest, security
> Fix For: 4.1.1, 5.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{UserTO}} instances returned as payload by some Core REST services are
> currently containing a few fields that can be safely dropped:
> * password
> * token
> * tokenExpireTime
> * securityAnswer
> Such fields are in fact:
> * mostly blank by default (depending on the value of configuration parameter
> {{return.password.value}})
> * not usable by callers (being hashed)
> * anyway accessible only to administrators owning the {{USER_READ}}
> entitlement for the belonging Realm
> Thus, there are enough reasons to just get rid of them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
