Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-7781

Password of external providers should not be stored in database

    Details

      Description

      When using an external provider, it's currently possible to store the password of the user in the database, using the property "sonar.security.savePassword".

      It should be no more possible to do that as it can be considered as a security hole.

      As a consequence :

      • Property "sonar.security.savePassword" should be removed
      • When authentication on external provider is failing, no fallback will be made to authenticate the user from the database

      A db migration should executed to remove crypted password and salt of every none local users

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                julien.lancelot Julien Lancelot
                Reporter:
                julien.lancelot Julien Lancelot
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: