Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-7781

Password of external providers should not be stored in database

    XMLWordPrintable

    Details

      Description

      When using an external provider, it's currently possible to store the password of the user in the database, using the property "sonar.security.savePassword".

      It should be no more possible to do that as it can be considered as a security hole.

      As a consequence :

      • Property "sonar.security.savePassword" should be removed
      • When authentication on external provider is failing, no fallback will be made to authenticate the user from the database

      A db migration should executed to remove crypted password and salt of every none local users

        Attachments

          Activity

            People

            Assignee:
            julien.lancelot Julien Lancelot
            Reporter:
            julien.lancelot Julien Lancelot
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: