SQL Server Management Studio Replacement
- by Mongo
Can anyone suggest a non java replacement for SQL Server Management Studio for OSX?
I currently use Parallels in Crystal mode and run SSMS, but it seems like there should be something better.
Search Results
Search found 93618 results on 3745 pages for 'server security'.
Page 116/3745 | < Previous Page | 112 113 114 115 116 117 118 119 120 121 122 123 | Next Page >
-
-
Iptables: How to allow only one ip through specific port?
- by Camran
How can I on my ubuntu server, in Iptables only allow one IP adress on a specific port? ThanksRead the article
-
ssh (openSSH) questions
- by Camran
I have ubuntu 9.10 server. Firstly, is OpenSSH the same as SSHD? Secondly, In the terminal when typing whereis sshd i get this: whereis sshd /usr/sbin/sshd Also when typing whereis openssh i get this: whereis openssh /usr/lib/openssh How do I know if I have openssh? Also, some tutorials online suggest opening sshd_config, so when typing this: whereis sshd_config /usr/share/man/man5/sshd_config.5.gz // I get this... What should I do, because as you have answered my other Q about security, you have pointed out that it is the way you configure your ssh and etc which is important. Is there any guide for this? How should I configure this? I will be the only user for this server btw... If you need more input let me know and I will update this Q. ThanksRead the article
-
ssh (openSSH) questions
- by Camran
I have ubuntu 9.10 server. Firstly, is OpenSSH the same as SSHD? Secondly, In the terminal when typing whereis sshd i get this: whereis sshd /usr/sbin/sshd Also when typing whereis openssh i get this: whereis openssh /usr/lib/openssh How do I know if I have openssh? Also, some tutorials online suggest opening sshd_config, so when typing this: whereis sshd_config /usr/share/man/man5/sshd_config.5.gz // I get this... What should I do, because as you have answered my other Q about security, you have pointed out that it is the way you configure your ssh and etc which is important. Is there any guide for this? How should I configure this? I will be the only user for this server btw... If you need more input let me know and I will update this Q. ThanksRead the article
-
SQL SERVER – PAGELATCH_DT, PAGELATCH_EX, PAGELATCH_KP, PAGELATCH_SH, PAGELATCH_UP – Wait Type – Day 12 of 28
- by pinaldave
This is another common wait type. However, I still frequently see people getting confused with PAGEIOLATCH_X and PAGELATCH_X wait types. Actually, there is a big difference between the two. PAGEIOLATCH is related to IO issues, while PAGELATCH is not related to IO issues but is oftentimes linked to a buffer issue. Before we delve deeper in this interesting topic, first let us understand what Latch is. Latches are internal SQL Server locks which can be described as very lightweight and short-term synchronization objects. Latches are not primarily to protect pages being read from disk into memory. It’s a synchronization object for any in-memory access to any portion of a log or data file.[Updated based on comment of Paul Randal] The difference between locks and latches is that locks seal all the involved resources throughout the duration of the transactions (and other processes will have no access to the object), whereas latches locks the resources during the time when the data is changed. This way, a latch is able to maintain the integrity of the data between storage engine and data cache. A latch is a short-living lock that is put on resources on buffer cache and in the physical disk when data is moved in either directions. As soon as the data is moved, the latch is released. Now, let us understand the wait stat type related to latches. From Book On-Line: PAGELATCH_DT Occurs when a task is waiting on a latch for a buffer that is not in an I/O request. The latch request is in Destroy mode. PAGELATCH_EX Occurs when a task is waiting on a latch for a buffer that is not in an I/O request. The latch request is in Exclusive mode. PAGELATCH_KP Occurs when a task is waiting on a latch for a buffer that is not in an I/O request. The latch request is in Keep mode. PAGELATCH_SH Occurs when a task is waiting on a latch for a buffer that is not in an I/O request. The latch request is in Shared mode. PAGELATCH_UP Occurs when a task is waiting on a latch for a buffer that is not in an I/O request. The latch request is in Update mode. PAGELATCH_X Explanation: When there is a contention of access of the in-memory pages, this wait type shows up. It is quite possible that some of the pages in the memory are of very high demand. For the SQL Server to access them and put a latch on the pages, it will have to wait. This wait type is usually created at the same time. Additionally, it is commonly visible when the TempDB has higher contention as well. If there are indexes that are heavily used, contention can be created as well, leading to this wait type. Reducing PAGELATCH_X wait: The following counters are useful to understand the status of the PAGELATCH: Average Latch Wait Time (ms): The wait time for latch requests that have to wait. Latch Waits/sec: This is the number of latch requests that could not be granted immediately. Total Latch Wait Time (ms): This is the total latch wait time for latch requests in the last second. If there is TempDB contention, I suggest that you read the blog post of Robert Davis right away. He has written an excellent blog post regarding how to find out TempDB contention. The same blog post explains the terms in the allocation of GAM, SGAM and PFS. If there was a TempDB contention, Paul Randal explains the optimal settings for the TempDB in his misconceptions series. Trace Flag 1118 can be useful but use it very carefully. I totally understand that this blog post is not as clear as my other blog posts. I suggest if this wait stats is on one of your higher wait type. Do leave a comment or send me an email and I will get back to you with my solution for your situation. May the looking at all other wait stats and types together become effective as this wait type can help suggest proper bottleneck in your system. Read all the post in the Wait Types and Queue series. Note: The information presented here is from my experience and there is no way that I claim it to be accurate. I suggest reading Book OnLine for further clarification. All the discussions of Wait Stats in this blog are generic and vary from system to system. It is recommended that you test this on a development server before implementing it to a production server. Reference: Pinal Dave (http://blog.SQLAuthority.com) Filed under: Pinal Dave, PostADay, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Server, SQL Tips and Tricks, SQL Wait Stats, SQL Wait Types, T SQL, TechnologyRead the article
-
After restoring a SQL Server database from another server - get login fails
- by Renso
Issue: After you have restored a sql server database from another server, lets say from production to a Q/A environment, you get the "Login Fails" message for your service account. Reason: User logon information is stored in the syslogins table in the master database. By changing servers, or by altering this information by rebuilding or restoring an old version of the master database, the information may be different from when the user database dump was created. If logons do not exist for the users, they will receive an error indicating "Login failed" while attempting to log on to the server. If the user logons do exist, but the SUID values (for 6.x) or SID values (for 7.0) in master..syslogins and the sysusers table in the user database differ, the users may have different permissions than expected in the user database. Solution: Links a user entry in the sys.database_principals system catalog view in the current database to a SQL Server login of the same name. If a login with the same name does not exist, one will be created. Examine the result from the Auto_Fix statement to confirm that the correct link is in fact made. Avoid using Auto_Fix in security-sensitive situations. When you use Auto_Fix, you must specify user and password if the login does not already exist, otherwise you must specify user but password will be ignored. login must be NULL. user must be a valid user in the current database. The login cannot have another user mapped to it. execute the following stored procedure, in this example the login user name is "MyUser" exec sp_change_users_login 'Auto_Fix', 'MyUser' NOTE: sp_change_users_login cannot be used with a SQL Server login created from a Windows principal or with a user created by using CREATE USER WITHOUT LOGIN.Read the article
-
BizTalk 2009 - Installing BizTalk Server 2009 on XP for Development
- by StuartBrierley
At my previous employer, when developing for BizTalk Server 2004 using Visual Studio 2003, we made use of separate development and deployment environments; developing in Visual Studio on our client PCs and then deploying to a seperate shared BizTalk 2004 Server from there. This server was part of a multi-server Standard BizTalk environment comprising of separate BizTalk Server 2004 and SQL Server 2000 servers. This environment was implemented a number of years ago by an outside consulting company, and while it worked it did occasionally cause contention issues with three developers deploying to the same server to carry out unit testing! Now that I am making the design and implementation decisions about the environment that BizTalk will be developed in and deployed to, I have chosen to create a single "server" installation on my development PC, installling SQL Server 2008, Visual Studio 2008 and BizTalk Server 2009 on a single system. The client PC in use is actually a MacBook Pro running Windows XP; not the most powerful of systems for high volume processing but it should be powerful enough to allow development and initial unit testing to take place. I did not need to, and so chose not to, install all of the components detailed in the Microsoft guide for installing BizTalk 2009 on Windows XP but I did follow the basics of the procedures detailed within. Outlined below are the highlights of this process and any details of what choices I made. Install IIS I had previsouly installed Windows XP, including all current service packs and critical updates. At the time of installation this included Service Pack 3, the .Net Framework 3.5 and MS Windows Installer 3.1. Having a running XP system, my first step was to install IIS - this is quite straightforward and posed no difficulties. Install Visual Studio 2008 The next step for me was to install Visual Studio 2008. Making sure to select a custom installation is crucial at this point, as you need to make sure that you deselect SQL Server 2005 Express Edition as it can cause the BizTalk installation to fail. The installation guide suggests that you only select Visual C# when selecting features to install, but I decided that due to some legacy systems I have code for that I would also select the VB and ASP options. Visual Studio 2008 Service Pack 1 Following the completion of the installation of Visual Studio itself you should then install the Visual Studio 2008 Service Pack 1. SQL Server 2008 Standard Edition The next step before intalling BizTalk Server 2009 itself is to install SQL Server 2008 Standard Edition. On the feature selection screen make sure that you select the follwoing options: Database Engine Services SQL Server Replication Full-Text Search Analysis Services Reporting Services Business Intelligence Development Studio Client Tools Connectivity Integration Services Management Tools Basic and Complete Use the default instance and the same accounts for all SQL server instances - in my case I used the Network Service and Local Service accounts for the two sets of accounts. On the database engine configuration screen I selected windows authentication and added the current user, adding the same user again on the Analysis services Configuration screen. All other screens were left on the default settings. The SQL Server 2008 installation also included the installation of hotfix for XP KB942288-v3, the Windows Installer 4.5 Redistributable. System Configuration At this stage I took a moment to disable the SQL Server shared memory protocol and enable the Named Pipes and TCP/IP protocols. These can be found in the SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSSQLServer. I also made sure that the DTC settings were configured correctley. BizTalk Server 2009 The penultimate step is to install BizTalk Server 2009 Standard Edition. I had previsouly downloaded the redistributable prerequisites as a CAB file so was able to make use of this when carrying out the installation. When selecting which components to install I selected: Server Runtime BizTalk EDI/AS2 Runtime WCF Adapter Runtime Portal Components Administrative Tools WFC Administartion Tools Developer Tools and SDK, Enterprise SSO Administration Module Enterprise SSO Master Secret Server Business Rules Components BAM Alert Provider BAM Client BAM Eventing Once installation has completed clear the launch BizTalk Server Configuration check box and select finish. Verify the Installation Before configuring BizTalk Server it is a good idea to check that BizTalk Server 2009 is installed and that SQL Server 2008 has started correctly. The easiest way to verify the BizTalk installation is check the Programs and Features in Control panel. Check that SQL is started by looking in the SQL Server Configuration Manager. Configure BizTalk Server 2009 Finally we are ready to configure BizTalk Server 2009. To start this I opted for a custom configuration that allowed me to choose in more detail the settings to be used. For all databases I selected the local server and default database names. For all Accounts I used a local account that had been created specifically for the BizTalk Services. For all windows groups I allowed the configuration wizard to create the default local groups. The configuration wizard then ran: Upon completion you will be presented with a screen detailing the success or failure of the configuration. If your configuration failed you will need to sort out the issues and try again (it is possible to save the configuration settings for later use if you want too - except passwords of course!). If you see lots of nice green ticks - congratulations BizTalk Server 2009 on XP is now installed and configured ready for development.Read the article
-
SQL SERVER – Not Possible – Delete From Multiple Table – Update Multiple Table in Single Statement
- by pinaldave
There are two questions which I get every single day multiple times. In my gmail, I have created standard canned reply for them. Let us see the questions here. I want to delete from multiple table in a single statement how will I do it? I want to update multiple table in a single statement how will I do it? The answer is – No, You cannot and you should not. SQL Server does not support deleting or updating from two tables in a single update. If you want to delete or update two different tables – you may want to write two different delete or update statements for it. This method has many issues – from the consistency of the data to SQL syntax. Now here is the real reason for this blog post – yesterday I was asked this question again and I replied my canned answer saying it is not possible and it should not be any way implemented that day. In the response to my reply I was pointed out to my own blog post where user suggested that I had previously mentioned this is possible and with demo example. Let us go over my conversation – you may find it interesting. Let us call the user DJ. DJ: Pinal, can we delete multiple table in a single statement or with single delete statement? Pinal: No, you cannot and you should not. DJ: Oh okey, if that is the case, why do you suggest to do that? Pinal: (baffled) I am not suggesting that. I am rather suggesting that it is not possible and it should not be possible. DJ: Hmm… but in that case why did you blog about it earlier? Pinal: (What?) No, I did not. I am pretty confident. DJ: Well, I am confident as well. You did. Pinal: In that case, it is my word against your word. Isn’t it? DJ: I have proof. Do you want to see it that you suggest it is possible? Pinal: Yes, I will be delighted too. (After 10 Minutes) DJ: Here are not one but two of your blog posts which talks about it - SQL SERVER – Curious Case of Disappearing Rows – ON UPDATE CASCADE and ON DELETE CASCADE – Part 1 of 2 SQL SERVER – Curious Case of Disappearing Rows – ON UPDATE CASCADE and ON DELETE CASCADE – T-SQL Example – Part 2 of 2 Pinal: Oh! DJ: I know I was correct. Pinal: Well, oh man, I did not mean there what you mean here. DJ: I did not understand can you explain it further. Pinal: Here we go. The example in the other blog is the example of the cascading delete or cascading update. I think you may want to understand the concept of the foreign keys and cascading update/delete. The concept of cascading exists to maintain data integrity. If there primary keys get deleted the update or delete reflects on the foreign key table to maintain the key integrity and data consistency. SQL Server follows ANSI Entry SQL with regard to referential integrity between PrimaryKey and ForeignKey columns which requires the inserting, updating, and deleting of data in related tables to be restricted to values that preserve the integrity. This is all together different concept than deleting multiple values in a single statement. When I hear that someone wants to delete or update multiple table in a single statement what I assume is something very similar to following. DELETE/UPDATE Table 1 (cols) Table 2 (cols) VALUES … which is not valid statement/syntax as well it is not ASNI standards as well. I guess, after this discussion with DJ, I realize I need to do a blog post so I can add the link to this blog post in my canned answer. Well, it was a fun conversation with DJ and I hope it the message is very clear now. Reference: Pinal Dave (http://blog.SQLAuthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Joins, SQL Query, SQL Server, SQL Tips and Tricks, T SQL, TechnologyRead the article
-
SQL SERVER – Weekly Series – Memory Lane – #004
- by pinaldave
Here is the list of curetted articles of SQLAuthority.com across all these years. Instead of just listing all the articles I have selected a few of my most favorite articles and have listed them here with additional notes below it. Let me know which one of the following is your favorite article from memory lane. 2006 Auto Generate Script to Delete Deprecated Fields in Current Database In early career everytime I have to drop a column, I had hard time doing it because I was scared what if that column was needed somewhere in the code. Due to this fear I never dropped any column. I just renamed the column. If the column which I renamed was needed afterwards it was very easy to rename it back again. However, it is not recommended to keep the deleted column renamed in the database. At every interval I used to drop the columns which was prefixed with specific word. This script is 6 years old but still works. Give it a look, I am open for improvements. 2007 Shrinking Truncate Log File – Log Full – Part 2 Shrinking database or mdf file is indeed bad thing and it creates lots of problems. However, once in a while there is legit requirement to shrink the log file – a very rare one. In the rare occasion shrinking or truncating the log file may be the only solution. However, one should make sure to take backup before and after the truncate or shrink as in case of a disaster they can be very useful. Remember that truncating log file will break the log chain and while restore it can create major issue. Anyway, use this feature with caution. 2008 Simple Use of Cursor to Print All Stored Procedures of Database Including Schema This is a very interesting requirement I used to face in my early career days, I needed to print all the Stored procedures of my database. Interesting enough I had written a cursor to do so. Today when I look back at this stored procedure, I believe there will be a much cleaner way to do the same task, however, I still use this SP quite often when I have to document all the stored procedures of my database. Interesting Observation about Order of Resultset without ORDER BY In industry many developers avoid using ORDER BY clause to display the result in particular order thinking that Index is enforcing the order. In this interesting example, I demonstrate that without using ORDER BY, same table and similar query can return different results. Query optimizer always returns results using any method which is optimized for performance. The learning is There is no order unless ORDER BY is used. 2009 Size of Index Table – A Puzzle to Find Index Size for Each Index on Table I asked this puzzle earlier where I asked how to find the Index size for each of the tables. The puzzle was very well received and lots of interesting answers were received. To answer this question I have written following blog posts. I suggest this weekend you try to solve this problem and see if you can come up with a better solution. If not, well here are the solutions. Solution 1 | Solution 2 | Solution 3 Understanding Table Hints with Examples Hints are options and strong suggestions specified for enforcement by the SQL Server query processor on DML statements. The hints override any execution plan the query optimizer might select for a query. The SQL Server Query optimizer is a very smart tool and it makes a better selection of execution plan. Suggesting hints to the Query Optimizer should be attempted when absolutely necessary and by experienced developers who know exactly what they are doing (or in development as a way to experiment and learn). Interesting Observation – TOP 100 PERCENT and ORDER BY I have seen developers and DBAs using TOP very causally when they have to use the ORDER BY clause. Theoretically, there is no need of ORDER BY in the view at all. All the ordering should be done outside the view and view should just have the SELECT statement in it. It was quite common that to save this extra typing by including ordering inside of the view. At several instances developers want a complete resultset and for the same they include TOP 100 PERCENT along with ORDER BY, assuming that this will simulate the SELECT statement with ORDER BY. 2010 SQLPASS Nov 8-11, 2010-Seattle – An Alternative Look at Experience In year 2010 I attended most prestigious SQL Server event SQLPASS between Nov 8-11, 2010 at Seattle. I have only one expression for the event - Best Summit Ever. Instead of writing about my usual routine or the event, I wrote about the interesting things I did and how I felt about it! When I go back and read it, I feel that this is the best event I attended in year 2010. Change Database Access to Single User Mode Using SSMS Image says all. 2011 SQL Server 2012 has introduced new analytic functions. These functions were long awaited and I am glad that they are now here. Before when any of this function was needed, people used to write long T-SQL code to simulate these functions. But now there’s no need of doing so. Having available native function also helps performance as well readability. Function SQLAuthority MSDN CUME_DIST CUME_DIST CUME_DIST FIRST_VALUE FIRST_VALUE FIRST_VALUE LAST_VALUE LAST_VALUE LAST_VALUE LEAD LEAD LEAD LAG LAG LAG PERCENTILE_CONT PERCENTILE_CONT PERCENTILE_CONT PERCENTILE_DISC PERCENTILE_DISC PERCENTILE_DISC PERCENT_RANK PERCENT_RANK PERCENT_RANK Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: Memory Lane, PostADay, SQL, SQL Authority, SQL Query, SQL Server, SQL Tips and Tricks, T SQL, TechnologyRead the article
-
Spring Security session-management setting and IllegalStateException
- by JayL
I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app. I'm using Spring Security 3 and Tomcat 6. Here's my configuration: <http> <intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" /> <intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" /> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <form-login login-processing-url="/j_spring_security_check" login-page="/login.htm" authentication-failure-url="/login.htm?error=true" default-target-url="/go.htm" /> <anonymous/> <logout logout-success-url="/logout_message.htm"/> <session-management invalid-session-url="/login.htm" /> </http> Everything works great until I add in the <session-management> line. What am I missing?Read the article
-
security policy error iphone ipod touch issue
- by Joey
I'm getting an "Error from Debugger: Error launching remote program: security policy error" when I try to run my app on my ipod touch. The provisions look in order, and the app builds to my iphone 3gs just fine. The app used to build just fine to my ipod touch, so I'm flustered what could have changed and wondering if anyone has any thoughts on what might be causing this issue. The build logs are below. Mon Mar 15 14:25:54 unknown com.apple.debugserver-43[449] : Connecting to com.apple.debugserver service... Mon Mar 15 14:25:55 unknown SpringBoard[24] : Unable to launch com.yourcompany.Unearthed because it has an invalid code signature, inadequate entitlements or its profile has not been explicitly trusted by the user. Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : error: unable to launch the application with CFBundleIdentifier 'com.yourcompany.Unearthed' sbs_error = 9 Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : 1 [01c1/0903]: RNBRunLoopLaunchInferior DNBProcessLaunch() returned error: '' Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : error: failed to launch process (null): security policy error Mon Mar 15 14:26:03 unknown MobileSafari[72] : void SendDelegateMessage(NSInvocation*): delegate (webView:decidePolicyForNavigationAction:request:frame:decisionListener:) failed to return after waiting 10 seconds. main run loop mode: UITrackingRunLoopModeRead the article
-
How to access/use custom attribute in spring security based CAS client
- by Bill Li
I need send certain attributes(say, human readable user name) from server to client after a successful authentication. Server part was done. Now attribute was sent to client. From log, I can see: 2010-03-28 23:48:56,669 DEBUG Cas20ServiceTicketValidator:185 - Server response: [email protected] <cas:proxyGrantingTicket>PGTIOU-1-QZgcN61oAZcunsC9aKxj-cas</cas:proxyGrantingTicket> <cas:attributes> <cas:FullName>Test account 1</cas:FullName> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> Yet, I don't know how to access the attribute in client(I am using Spring security 2.0.5). In authenticationProvider, a userDetailsService is configured to read db for authenticated principal. <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="clerkManager"/> <!-- other stuff goes here --> </bean> Now in my controller, I can easily do this: Clerk currentClerk = (Clerk)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); Ideally, I can fill the attribute to this Clerk object as another property in some way. How to do this? Or what is recommended approach to share attributes across all apps under CAS's centralized nature?Read the article
-
How do I use WS-Security with WCF?
- by Jonathan Allen
Below is the style of header I need to create. I am expected to use either a public/private key or a SSL style certificate. I don't know for certain, but I think my counter-party is using some form of Java. <soap-env:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#secinfo"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>xxxxxxxxxxxxx</ds:DigestValue> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <ds:XPath>//*[@id='secinfo']/child::*/text()</ds:XPath> </ds:Transform> </ds:Transforms> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>xxxxxxxxxxds:SignatureValue> <ds:KeyInfo> <ds:KeyName>xxxxxxx</ds:KeyName> </ds:KeyInfo> </ds:Signature> <t:UsernameToken xmlns:t="http://schemas.xmlsoap.org/ws/2002/04/secext" id="secinfo"> <t:UserInfo>USER=xxxx;CORR=xxxx;TIMESTAMP=201003161916</t:UserInfo> </t:UsernameToken> </wsse:Security> </soap-env:Header>Read the article
-
Flash Security Error Accessing URL with crossdomain.xml
- by user163757
Hello, I recently deployed a Flash application to a server, and am now experiencing errors when making HTTPService requests. I have put what I believe to be the most permissive crossdomain.xml possible in the wwwroot folder, and still get the errors. Interestingly enough, the error only seems to occur when the request is made from a direct user interaction (i.e. button click). The application makes other requests that are initiated by other means(i.e creationComplete) , and they seem to work as expected. Anyone see anything wrong with the crossdomain.xml, or have any other suggestions? ERROR MESSAGE [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"] at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal%3A%3AfaultHandler() at mx.rpc::Responder/fault() at mx.rpc::AsyncRequest/fault() at DirectHTTPMessageResponder/securityErrorHandler() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at flash.net::URLLoader/redirectEvent() <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all" /> <allow-access-from domain="*" secure="false" /> <allow-http-request-headers-from domain="*" headers="*" secure="false" /> </cross-domain-policy>Read the article
-
IE Security Warning with widgets
- by superexsl
Hey I'm creating an ASP.NET application which uses Facebook Connect and fbml tags. It also uses the LinkedIn widget. When I run this app in any browser, there are no warnings and everything works. However, in IE, a message like this comes up: Security Warning: The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this? Current site:http://www.facebook.com Trusted site:http://localhost (same for LinkedIn.com). I know how to fix this from a client perspective and to stop the security warning showing up. However, is it possible to ensure this message doesn't come up as it could be off putting for users who don't know how to suppress this warning? I haven't tried uploading it to my webhost, so not sure if this message will appear for everyone in production. However, I always get it on my local machine. (None of my pages use SSL, so I don't think that's the issue. I tried using FB's HTTPS urls but that didn't make a difference). ThanksRead the article
-
Game login authentication and security.
- by Charles
First off I will say I am completely new to security in coding. I am currently helping a friend develop a small game (in Python) which will have a login server. I don't have much knowledge regarding security, but I know many games do have issues with this. Everything from 3rd party applications (bots) to WPE packet manipulation. Considering how small this game will be and the limited user base, I doubt we will have serious issues, but would like to try our best to limit problems. I am not sure where to start or what methods I should use, or what's worth it. For example, sending data to the server such as login name and password. I was told his information should be encrypted when sending, so in-case someone was viewing it (with whatever means), that they couldn't get into the account. However, if someone is able to capture the encrypted string, wouldn't this string always work since it's decrypted server side? In other words, someone could just capture the packet, reuse it, and still gain access to the account? The main goal I am really looking for is to make sure the players are logging into the game with the client we provide, and to make sure it's 'secure' (broad, I know). I have looked around at different methods such as Public and Private Key encryption, which I am sure any hex editor could eventually find. There are many other methods that seem way over my head at the moment and leave the impression of overkill. I realize nothing is 100% secure. I am just looking for any input or reading material (links) to accomplish the main goal stated above. Would appreciate any help, thanks.Read the article
-
Restricting dynamically loaded classes and jars based on a security policy
- by Max
Hi, I would like to dynamically load a set of jars or classes (i.e. plugins loaded at runtime). At the same time, I would like to restrict what these plugins are able to do in the JVM. For a test case, I would like to restrict them to pretty much everything (right now I'm just allowing one System.getProperty value to be read). I am currently using a security policy file, but I'm having difficulty specifying a policy for one folder or package in my codeBase, but not another. Here is how my policy looks now: grant codeBase "file:/home/max/programming/java/plugin/plugins/" { permission java.util.PropertyPermission "java.version", "read"; }; grant codeBase "file:/home/max/programming/java/plugin/api/" { permission java.security.AllPermission; }; Where (for testing purposes), all files in the plugins package and folder are restricted, but the classes in the api folder are not. Is this possible? Do I have to create a custom class loader? Is there a better way to go about doing this? Thanks.Read the article
-
Calling a SLSB with Seam security from a servlet
- by wilth
Hello, I have an existing application written in SEAM that uses SEAM Security (http://docs.jboss.org/seam/2.1.1.GA/reference/en-US/html/security.html). In a stateless EJB, I might find something like this: @In Identity identity; ... if(identity.hasRole("admin")) throw new AuthException(); As far as I understand, Seam injects the Identity object from the SessionContext of the servlet that invokes the EJB (this happens "behind the scenes", since Seam doesn't really use servlets) and removes it after the call. Is this correct? Is it now possible to access this EJB from another servlet (in this case, that servlet is the server side of a GWT application)? Do I have to "inject" the correct Identity instance? If I don't do anything, Seam injects an instance, but doesn't correctly correlate the sessions and instances of Identity (so the instances of Identity are shared between sessions and sometimes calls get new instances etc.). Any help and pointers are very welcome - thanks! Technology: EJB3, Seam 2.1.2. The servlets are actually the server-side of a GWT app, although I don't think this matters much. I'm using JBoss 5.Read the article
-
Spring security and authentication provider
- by Pascal
I'm trying to implement Spring 3 Security in a project, but I can not get rid of the following error: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: No authentication providers were found in the application context This seems weird, as I did provide an authentication provider! I've added these lines to web. <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> And this is my applicationContext-security.xml: <http auto-config="false"> <intercept-url pattern="/**" access="ROLE_USER" /> <http-basic /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN"/> <user name="bob" password="bobspassword" authorities="ROLE_USER"/> </user-service> </authentication-provider> </authentication-manager> Google couldn't help me much further, nor could the official documentation.Read the article
-
ASP.NET webservice API security.
- by Tejaswi Yerukalapudi
Hi, I have an iPhone app accessing an ASP.NET Webservice for data. Since I'm building both the ASP.NET end and the iPhone part of the app, and we'll shortly be publishing it in the Appstore, I'd like to know what security checks I need to make. The basic flow of the program (without divulging too much info about it) is as follows - . Login (Enter Username, pass on the app) . Primary screen where the data is loaded from a webservice and presented . And post data back after a few updates by the user I'm using POST to send the data to the Webservice via HTTPS. I'm sanitizing the inputs, checking for length of the inputs, but that's the limit of my knowledge as far as security goes. Any other tips are greatly appreciated! Edit: I should probably add that our service needs to be subscribed to separately and the iPhone component of it cannot be used alone. So the average user will not have login credentials. And the app itself has healthcare data in it, so I'd rather not have anyone trying attacks from my login page. Thanks, Teja.Read the article
-
Setting directory security to allow user and deny all
- by Rita
I have winforms app, in which I need to access a secured directory. I'm using impersonation and create WindowsIdentity to access the folder. My problem is writing unit tests to test the directory security; I'd like to a write a code that creates a directory secured to only ONE user, which isn't the current user running the UT (or else the test would be worthless). I know how to add permissions to a certain user, but how can I deny the rest, including admins? (in case the user running the UT is an admin) (will this be a wise thing to do?) DirectoryInfo directoryInfo = new DirectoryInfo(path); DirectorySecurity directorySecurity = directoryInfo.GetAccessControl(); directorySecurity.AddAccessRule(new FileSystemAccessRule("Domain\SecuredUser", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); directorySecurity.RemoveAccessRule(new FileSystemAccessRule("??", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Deny)); directoryInfo.SetAccessControl(directorySecurity); This isn't working. I don't know who am I supposed to deny. Domain\Admins, Domain\Administrators, me... No one is being denied, and when I check folder's security - The SecuredUser has access to the folder, but the permissions are not checked, even though I specified FullControl. Basically I want to code this: <authorization> <allow users ="Domain\User" /> <deny users="*" /> </authorization> I was thinking about impersonating UT run with a weak user with no permissions, but this would result in: Impersonate - Run UT - Impersonate - Access folder, and I'm not sure if this is the right design. Help would be greatly appreciated, thank you.Read the article
-
Looking for resources to explain a security risk.
- by Dave
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally. When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url. I believe this is a security risk because one is transferring from the local computer zone to an external zone. I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability. The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.Read the article
-
Security considerations processing emails
- by Timmy O' Tool
I have process that will be reading emails from an account. The objective of the process is saving to a database those emails with image(s) as attachments. I will be saving sender, subject body and image path (the image will be saved on the process). I will be showing this information on a page so I would like to know all (or most of them :) ) security aspects to cover. I plan to sanitize the subject and body of the email. I can remove most of the tags, probably it would be enough keeping the <p> tag. I'm not sure if I can trust just in a sanitizer. I would like to HTML encode everything except for the <p> tag after sanitize, just in case. Any suggestion? I'm only accepting images as attachment as I said above, any security risk I have to take into account in relation to the attachment? Thanks!Read the article
-
How to strengthen Mysql database server Security?
- by i need help
If we were to use server1 for all files (file server), server2 for mysql database (database server). In order for websites in server1 to access to the database in server2, isn't it needed to connect to to ip address of second (mysql server) ? In this case, is remote mysql connection. However, I seen from some people comment on the security issue. remote access to MySQL is not very secure. When your remote computer first connects to your MySQL database, the password is encrypted before being transmitted over the Internet. But after that, all data is passed as unencrypted "plain text". If someone was able to view your connection data (such as a "hacker" capturing data from an unencrypted WiFi connection you're using), that person would be able to view part or all of your database. So I just wondering ways to secure it? Allow remote mysql access from server1 by allowing the static ip adress allow remote access from server 1 by setting port allowed to connect to 3306 change 3306 to other port? Any advice?Read the article
-
SQLAuthority News – SQL Server Cheat Sheet from MidnightDBA
- by pinaldave
When I read the article from MidnightDBA (I should say MidnightDBAs because it is about Jen and Sean) regarding T-SQL for the Absentminded DBA, my natural reaction was that it is a perfect extension. A year ago around the same month, I had created SQL Server Cheatsheet. I have distributed a lot of copies of it since I produced it. In fact, while attending TechMela in Nepal today, I am getting many requests to get copies of SQL Server Cheatsheet. When I checked my RSS feed, I realized that Jen and Sean have a perfect cheat sheet for intermediate level developers. I would like to suggest to all of you to read their post and download the Absentminded DBA’s Cheat Sheet for IntermediateTSQL. It is available in two formats: PDF and Docx. I just love how the members of the community help each other grow. I am fortunate that I have received excellent feedback/corrections and criticism on my blog posts for so many times. Criticism and corrections, after all, are absolutely needed and make a better community as a whole. Reference : Pinal Dave (http://blog.SQLAuthority.com) Filed under: MVP, Pinal Dave, SQL, SQL Authority, SQL Download, SQL Query, SQL Scripts, SQL Server, SQL Tips and Tricks, SQLAuthority News, T SQL, Technology Tagged: SQL Cheat SheetRead the article
