[
https://issues.apache.org/jira/browse/SYNCOPE-1966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francesco Chicchiriccò resolved SYNCOPE-1966.
---------------------------------------------
Resolution: Fixed
> Do not include security sensitive information in returned UserTO payloads
> -------------------------------------------------------------------------
>
> Key: SYNCOPE-1966
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1966
> Project: Syncope
> Issue Type: Task
> Components: common, console, core
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Priority: Major
> Labels: rest, security
> Fix For: 4.1.1, 5.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{UserTO}} instances returned as payload by some Core REST services are
> currently containing a few fields that can be safely dropped:
> * password
> * token
> * tokenExpireTime
> * securityAnswer
> Such fields are in fact:
> * mostly blank by default (depending on the value of configuration parameter
> {{return.password.value}})
> * not usable by callers (being hashed)
> * anyway accessible only to administrators owning the {{USER_READ}}
> entitlement for the belonging Realm
> Thus, there are enough reasons to just get rid of them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
