Search Results

Search found 20283 results on 812 pages for 'security context'.

Page 121/812 | < Previous Page | 117 118 119 120 121 122 123 124 125 126 127 128  | Next Page >

• How can I tell if a host is bridged and acting as a router

  - by makerofthings7

  I would like to scan my DMZ for hosts that are bridged between subnets and have routing enabled. Since I have everything from VMWare servers, to load balancers on the DMZ I'm unsure if every host is configured correctly. What IP, ICMP, or SNMP (etc) tricks can I use to poll the hosts and determine if the host is acting as a router? I'm assuming this test would presume I know the target IP, but in a large network with many subnets, I'd have to test many different combinations of networks and see if I get success. Here is one example (ping): For each IP in the DMZ, arp for the host MAC Send a ICMP reply message to that host directed at an online host on each subnet I think that there is a more optimal way to get the information, namely from within ICMP/IP itself, but I'm not sure what low level bits to look for. I would also be interested if it's possible to determine the "router" status without knowing the subnets that the host may be connected to. This would be useful to know when improving our security posture.

  Read the article

• Personally identifiable information (PII) on shared web hosting

  - by S. Cobbs

  Hey folks, I am providing web hosting services (shared and dedicated) and have had one of my shared hosting clients mention needing an SSL cert for their site where they are collecting insurance quotes in a form, including names and social security numbers. My privacy sense is tingling, and I'm pretty sure it's not legal (in the US) to do this on a shared system, but can't find anything to support my thoughts outside of PCI-DSS, but the customer isn't processing payments through the site so I'm not sure if that applies. I'm reading lots of policy documents where people advise to minimize and manage the PII footprint internally, but as the host I don't want to put all of my customer's clients at possible risk. I'm not looking here for legal advice necessarily, but perhaps someone in a similar position to mine can provide some rule of thumb or point me in the right direction.

  Read the article

• Switch to switch encryption over a wireless bridge (TrustSec?)

  - by metatheorem

  I am planning to connect an existing Cisco 3750 switch to a 3560C switch over a wireless PTP bridge. The bridge will be WPA2 protected, but I am looking for an additional measure of security between the switches to prevent other wireless access through either switch. They do not support IPSec, only 802.1Q tunnels, and buying additional hardware is not likely an option. I am looking into using TrustSec manual mode between the switches. After some effort reading into TrustSec and MACsec, I am mostly certain this is a good choice over the wireless bridge, keeping in mind it is a shared medium. Two questions: Can I reliably prevent other wireless traffic from accessing the switches using TrustSec? Does anyone know of any better options with the 3000 series switches?

  Read the article

• openVAS - Microsoft RDP Server Private Key Information Disclosure Vulnerability - false Alarm?

  - by huebkov

  I performed a openVAS scan on a Windows Server 2008 R2 and got a report for a high threat level vulnerability called Microsoft RDP Server Private Key Information Disclosure Vulnerability. An remote attacker could perform a man-in-the-middle attack to gain access to a RDP session. Affected Software is Microsoft RDP 5.2 and below. My server uses RDP 7.1, is this alarm a false alarm? Security Advisor Pages say: Solution Status Unpatched, No remedy... References http://secunia.com/advisories/15605/ http://xforce.iss.net/xforce/xfdb/21954/ http://www.oxid.it/downloads/rdp-gbu.pdf CVE: CVE-2005-1794 BID:13818

  Read the article

• Which modules can be disabled in apache2.4 on windows

  - by j0h

  I have an Apache 2.4 webserver running on Windows. I am looking into system hardening and the config file httpd.conf. There are numerous load modules and I am wondering which modules I can safely disable for performance and / or security improvements. Some examples of things I would think I can disable are: LoadModule cgi_module others like LoadModule rewrite_module LoadModule version_module LoadModule proxy_module LoadModule setenvif_module I am not so sure they can be disabled. I am running php5 as a scripting engine, with no databases, and that is it. My loaded modules are: core mod_win32 mpm_winnt http_core mod_so mod_access_compat mod_actions mod_alias mod_allowmethods mod_asis mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_groupfile mod_authz_host mod_authz_user mod_autoindex mod_dav_lock mod_dir mod_env mod_headers mod_include mod_info mod_isapi mod_log_config mod_cache_disk mod_mime mod_negotiation mod_proxy mod_proxy_ajp mod_rewrite mod_setenvif mod_socache_shmcb mod_ssl mod_status mod_version mod_php5

  Read the article

• How to secure a new server OS installation

  - by Pat R Ellery

  I bought (and just received) a new 1u dell poweredge 860 (got it on ebay for $35). I finished installing Ubuntu Server (Ubuntu Server 12.04.3 LTS), install apache/mariadb/memcache/php5 works great but I am scared about security. so far I am the only one using the server but eventually more people (friends, friends of friends) will use this server, use ssh etc... I want to know what can I do to secure all the information and not get hacked, both from the web or ssh or ddos and any other attack possible. Does Ubuntu Server does it for you right away? or I have to fix it my self? Thank you EDIT: I installed (so far): All dev tools ssh server LAMP I didn't install: Graphical interface

  Read the article

• How to secure a VM while allowing customer RDS (or equivalent) access to its desktop

  - by ChrisA

  We have a Windows Client/(SQL-)Server application which is normally installed at the customer's premises. We now need to provide a hosted solution, and browser-based isn't feasible in the short term. We're considering hosting the database ourselves, and also hosting the client in a VM. We can set all this up easily enough, so we need to: ensure that the customer can connect easily, and also ensure that we suitably restrict access to the VM (and its host, of course) We already access the host and guest machines across the internet via RDS, but we restrict access to it to only our own internal, very small, set of static IPs, and of course theres the 2 (or 3?)-user limit on RDS connections to a remote server. So I'd greatly appreciate ideas on how to manage: the security the multi-user aspect. We're hoping to be able to do this initially without a large investment in virtualisation infrastructure - it would be one customer only to start with, with perhaps two remote users. Thanks!

  Read the article

• Is disabling password login for SSH the same as deleting the password for all users?

  - by Arsham Skrenes

  I have a cloud server with only a root user. I SSH to it using RSA keys only. To make it more secure, I wanted to disable the password feature. I know that this can be done by editing the /etc/ssh/sshd_config file and changing PermitRootLogin yes to PermitRootLogin without-password. I was wondering if simply deleting the root password via passwd -d root would be the equivalent (assuming I do not create more users or new users have their passwords deleted too). Are there any security issues with one approach verses the other?

  Read the article

• Does Windows 8 include the Windows Help program (WinHlp32.exe)?

  - by amiregelz

  In 2011, Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks. The functionality of the help file permits a call to the Windows API which, in turn, permits shell code execution and the installation of malicious payload files. This functionality is not an exploit, but there by design. Here's the malicious WinHelp files (Bloodhound.HLP.1 & Bloodhound.HLP.2) detection heat map: I would like to know if the Windows Help program exists on my Windows 8 machine by default, because if it does I might need to remove it for security reasons. Does Windows 8 include the Windows Help program (WinHlp32.exe)?

  Read the article

• What does the red x icon mean next to a user in folder permissions (Windows 7)

  - by Scott Szretter

  In trying to debug various strange issues on a machine, I found something strange - when I go to C:\Users\administrator and get properties, security tab, it lists the users (the local admin account, system, and 'administrator' which is the domain administrator account). It all looks fine in terms of permissions (full control, etc.) compared to other machines. The one difference is there is a small red circle with an X to the left of the user icon/name. Additionally, there are various folders where it says access denied under there - for example, my documents! Even logged in as the local machine administrator account (which is not named administrator), I am unable to change the permissions - it says access denied. Any ideas what this means and how to fix it? I even tried re-joining the machine to the domain.

  Read the article

• Access logs show someone "GET"ing a random ip, why does this return 200?

  - by Wilduck

  I have a small linux box set up with Apache as a way to teach myself Apache. I've set up port forwarding on my router so it's accessible from the outside world, and I've gotten a few strange requests for pages that don't exist from an ip address in China. Looking at my access_log shows that most of these return 404 errors, which I'm guessing is a good thing. However, there is one request that looks like this: 58.218.204.110 - - [25/Dec/2010:19:05:25 -600] "GET http://173.201.161.57/ HTTP/1.1" 200 3895 I'm curious what this request means... That ip address is unconnected to my server as far as I know, and visiting it simply tells me information about my uid. So, my questions are: How is it that this request is showing up in my access_log, why is it returning 200, and is this a bad thing (do I need to set up more security)?

  Read the article

• Active Directoy GPO

  - by Phillip R.

  I am looking into some weird issues with active directory and group policy. This domain has been upgraded from windows NT and has a few different administrators over the years. I am looking through the Default Domain group policy and Default Domain Controller group policy. In the security areas and I will use the log on locally area as an example, it shows SIDes that begin with asterisks and are quite long they look sort of like the following *S-1-5-21-787626... Normally, when I see something like this I would think that the User account was no longer there and this was never cleaned up. Am I wrong in my assumption? Thanks in advance

  Read the article

• mod_security: How to allow ssh/http access for admin?

  - by mattesque

  I am going to be installing mod_security on my AWS EC2 Linux instance tonight and need a little help/reassurance. The only thing I am truly worried about right now is making sure my (admin) access to the instance and webserver is maintained w/o compromising security. I use ssh (port 22) and http (80) to access this and I've read horror stories from other EC2 users claiming they were locked out of their sites once they put up a firewall. So my question boils down to: What settings should I put in the mod_security conf file to make sure I can get in on those ports? IP at home is not static. (Hence the issue) Thanks so, so, so much.

  Read the article

• How can I disallow a user's scripts from accessing anything above their user folder?

  - by Jaxo

  This is probably an extremely simple question to answer for anybody who knows what they're doing, but I can't find any answers myself. I'm trying to set up a subdirectory for my good friend to test his PHP scripts on my (Apache) hosting plan. I don't want to let him access anything else on my server, however, for obvious reasons. His FTP login already leads him to the proper directory, which does not allow navigating any higher than it's root (mydomain.com/friend/). I would like the same behavior to be applied to any scripts, so he cannot simply <?php print_r(glob("../*")); ?> and view all my files. I'm thinking this can be done with an .htaccess file setting the DocumentRoot somewhere, but I can't have the file available for modification inside the user directory. Is this possible without majorly rewiring the web server? I've tried Googling all sorts of things to describe my problem, but without the proper terminology, all I get is "shared hosting" websites and people trying to sell me security packages.

  Read the article

• ssh (openSSH) questions

  - by Camran

  I have ubuntu 9.10 server. Firstly, is OpenSSH the same as SSHD? Secondly, In the terminal when typing whereis sshd i get this: whereis sshd /usr/sbin/sshd Also when typing whereis openssh i get this: whereis openssh /usr/lib/openssh How do I know if I have openssh? Also, some tutorials online suggest opening sshd_config, so when typing this: whereis sshd_config /usr/share/man/man5/sshd_config.5.gz // I get this... What should I do, because as you have answered my other Q about security, you have pointed out that it is the way you configure your ssh and etc which is important. Is there any guide for this? How should I configure this? I will be the only user for this server btw... If you need more input let me know and I will update this Q. Thanks

  Read the article

• ssh (openSSH) questions

  - by Camran

  I have ubuntu 9.10 server. Firstly, is OpenSSH the same as SSHD? Secondly, In the terminal when typing whereis sshd i get this: whereis sshd /usr/sbin/sshd Also when typing whereis openssh i get this: whereis openssh /usr/lib/openssh How do I know if I have openssh? Also, some tutorials online suggest opening sshd_config, so when typing this: whereis sshd_config /usr/share/man/man5/sshd_config.5.gz // I get this... What should I do, because as you have answered my other Q about security, you have pointed out that it is the way you configure your ssh and etc which is important. Is there any guide for this? How should I configure this? I will be the only user for this server btw... If you need more input let me know and I will update this Q. Thanks

  Read the article

• Service with intents not working. Help needed

  - by tristan202

  I need help in making my click intents work. I used to have them in my appwidgetprovider, but decided to move them into a service, but I am having trouble getting it to work. Below is the entire code from my intentservice: public class IntentService extends Service { static final String ACTION_UPDATE = "android.tristan.widget.digiclock.action.UPDATE_2"; private final static IntentFilter sIntentFilter; public int layoutID = R.layout.clock; int appWidgetIds = 0; static { sIntentFilter = new IntentFilter(); } @Override public IBinder onBind(Intent intent) { return null; } @Override public void onStart(Intent intent, int startId) { super.onStart(intent, startId); } @Override public void onCreate() { super.onCreate(); registerReceiver(onClickTop, sIntentFilter); registerReceiver(onClickBottom, sIntentFilter); Log.d("DigiClock IntentService", "IntentService Started."); } @Override public void onDestroy() { super.onDestroy(); unregisterReceiver(onClickTop); unregisterReceiver(onClickBottom); } private final BroadcastReceiver onClickTop = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent) { if(intent.getAction().equals("android.tristan.widget.digiclock.CLICK")) { PackageManager packageManager = context.getPackageManager(); Intent alarmClockIntent = new Intent(Intent.ACTION_MAIN).addCategory(Intent.CATEGORY_LAUNCHER); String clockImpls[][] = { {"HTC Alarm Clock", "com.htc.android.worldclock", "com.htc.android.worldclock.WorldClockTabControl" }, {"Standar Alarm Clock", "com.android.deskclock", "com.android.deskclock.AlarmClock"}, {"Froyo Nexus Alarm Clock", "com.google.android.deskclock", "com.android.deskclock.DeskClock"}, {"Moto Blur Alarm Clock", "com.motorola.blur.alarmclock", "com.motorola.blur.alarmclock.AlarmClock"} }; boolean foundClockImpl = false; for(int i=0; i<clockImpls.length; i++) { String vendor = clockImpls[i][0]; String packageName = clockImpls[i][1]; String className = clockImpls[i][2]; try { ComponentName cn = new ComponentName(packageName, className); ActivityInfo aInfo = packageManager.getActivityInfo(cn, PackageManager.GET_META_DATA); alarmClockIntent.setComponent(cn); foundClockImpl = true; } catch (NameNotFoundException e) { Log.d("Error, ", vendor + " does not exist"); } } if (foundClockImpl) { Vibrator vibrator = (Vibrator) context.getSystemService(Context.VIBRATOR_SERVICE); vibrator.vibrate(50); final RemoteViews views = new RemoteViews(context.getPackageName(), layoutID); views.setOnClickPendingIntent(R.id.TopRow, PendingIntent.getActivity(context, 0, new Intent(context, DigiClock.class).setFlags(Intent.FLAG_ACTIVITY_NEW_TASK), PendingIntent.FLAG_UPDATE_CURRENT)); AppWidgetManager.getInstance(context).updateAppWidget(intent.getIntArrayExtra(AppWidgetManager.EXTRA_APPWIDGET_IDS), views); alarmClockIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); context.startActivity(alarmClockIntent); } } } }; private final BroadcastReceiver onClickBottom = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent) { if(intent.getAction().equals("android.tristan.widget.digiclock.CLICK_2")) { PackageManager calendarManager = context.getPackageManager(); Intent calendarIntent = new Intent(Intent.ACTION_MAIN).addCategory(Intent.CATEGORY_LAUNCHER); String calendarImpls[][] = { {"HTC Calendar", "com.htc.calendar", "com.htc.calendar.LaunchActivity" }, {"Standard Calendar", "com.android.calendar", "com.android.calendar.LaunchActivity"}, {"Moto Blur Calendar", "com.motorola.blur.calendar", "com.motorola.blur.calendar.LaunchActivity"} }; boolean foundCalendarImpl = false; for(int i=0; i<calendarImpls.length; i++) { String vendor = calendarImpls[i][0]; String packageName = calendarImpls[i][1]; String className = calendarImpls[i][2]; try { ComponentName cn = new ComponentName(packageName, className); ActivityInfo aInfo = calendarManager.getActivityInfo(cn, PackageManager.GET_META_DATA); calendarIntent.setComponent(cn); foundCalendarImpl = true; } catch (NameNotFoundException e) { Log.d("Error, ", vendor + " does not exist"); } } if (foundCalendarImpl) { Vibrator vibrator = (Vibrator) context.getSystemService(Context.VIBRATOR_SERVICE); vibrator.vibrate(50); final RemoteViews views2 = new RemoteViews(context.getPackageName(), layoutID); views2.setOnClickPendingIntent(R.id.BottomRow, PendingIntent.getActivity(context, 0, new Intent(context, DigiClock.class).setFlags(Intent.FLAG_ACTIVITY_NEW_TASK), PendingIntent.FLAG_UPDATE_CURRENT)); AppWidgetManager.getInstance(context).updateAppWidget(intent.getIntArrayExtra(AppWidgetManager.EXTRA_APPWIDGET_IDS), views2); calendarIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); context.startActivity(calendarIntent); } } }; }; ;}; What am I doing wrong here?

  Read the article

• cookieless sessions with ajax

  - by thezver

  ok, i know you get sick from this subject. me too :( I've been developing a quite "big application" with PHP & kohana framework past 2 years, somewhat-successfully using my framework's authentication mechanism. but within this time, and as the app grown, many concerning state-preservation issues arisen. main problems are that cookie-driven sessions: can't be used for web-service access ( at least it's really not nice to do so.. ) in many cases problematic with mobile access don't allow multiple simultaneous apps on same browser ( can be resolved by hard trickery, but still.. ) requires many configurations and mess to work 100% right, and that's without the --browser issues ( disabled cookies, old browsers bugs & vulnerabilities etc ) many other session flaws stated in this old thread : http://lists.nyphp.org/pipermail/talk/2006-December/020358.html After a really long research, and without any good library/on-hand-solution to feet my needs, i came up with a custom solution to majority of those problems . Basically, i'ts about emulating sessions with ajax calls, with additional security/performance measures: state preserved by interchanging SID(+hash) with client on ajax calls. state data saved in memcache(or equivalent), indexed by SID security achieved by: appending unpredictible hash to SID egenerating hash on each request & validating it validating fingerprint of client on each request ( referrer,os,browser etc) (*)condition: ajax calls are not simultaneous, to prevent race-condition with session token. (hopefully Ext-Direct solves that for me) From the first glance that supposed to be not-less-secure than equivalent cookie-driven implementation, and at the same time it's simple, maintainable, and resolves all the cookies flaws.. But i'm really concerned because i often hear the rule "don't try to implement custom security solutions". I will really appreciate any serious feedback about my method, and any alternatives. also, any tip about how to preserve state on page-refresh without cookies would be great :) but thats small technical prob. Sorry if i overlooked some similar post.. there are billions of them about sessions . Big thanks in advance ( and for reading until here ! ).

  Read the article

• How to write an iphone application to control a device that exposes a telnet api

  - by MAC

  Hi! I have to write an iphone application that controls a device. This device exposes a telnet based interface. The application should ideally have user access control and customizability for each user. I was thinking of writing C++ classes that would communicate with the device using sockets. This functionality can then be exposed through web-services that can be called by the iphone application. However as i looked into it deeper, the api allows you to register for events using telnet and then you can receive notification when those events occur. That kinda put a spanner in the works for me. I for one dont know a "push" scenario can work with webservices. First off i have never programmed for the iphone so far. So i am not really sure what can be done. So i was thinking if instead of having a webserver to go through, why not have the application independently running on the iphone, directly communicating with the device using sockets. The question though is, is that possible and second i am thinking it would raise a security aspect. First we could control security as everything was going through our central server. Is there a way to handle security (in the sense who has access to the device) without having a central server. I am sorry that this seems like an unorganized post, but iam trying to brainstorm here. Looking forward to hear your opinions.

  Read the article

• What is the WCF equivalent?

  - by klausbyskov

  I am trying to port some code that is based on WSE3.0 to WCF. Basically, the old code has the following configuration: <microsoft.web.services3> <diagnostics> <trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo" /> </diagnostics> <tokenIssuer> <statefulSecurityContextToken enabled="false" /> </tokenIssuer> </microsoft.web.services3> When calling the same service through my "Service Reference" I get this error: Request does not contain required Security header My binding looks like this: <basicHttpBinding> <binding name="LegalUnitGetBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="Transport"> </security> </binding> </basicHttpBinding> From what I have understood, the service I'm calling only requires an SSL connection, since it receives a username and password as part of a request parameter. Any help or suggestions would be greatly appreciated.

  Read the article

• Header Setup in SOAP with ASP.NET 3.5 WCF

  - by Adam

  I'm pretty new to SOAP so go easy on me. I'm trying to setup a SOAP service that accepts the following header format: <soap:Header> <wsse:Security> <wsse:UsernameToken wsu:Id='SecurityToken-securityToken'> <wsse:Username>Username</wsse:Username> <wsse:Password>Password</wsse:Password> <wsu:Created>Timestamp</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> The application I'm incorporating this service into is an ASP.NET 3.5 web application and I've already setup a SOAP endpoint using WCF. I've setup a basic service to make sure the WCF works and it works fine (disregarding the header). I heard that the above format follows WS-Security so I added WSHttpBinding in the web.config: <service name="Nexternal.Service.XMLTools.VNService" behaviorConfiguration="VNServiceBehavior"> <!--The first endpoint would be picked up from the confirg this shows how the config can be overriden with the service host--> <endpoint address="" binding="wsHttpBinding" contract="Nexternal.Service.XMLTools.IVNService"/> </service> I downloaded a test harness (soapUI) and pasted in a test message with the above header and it came back with a 400 Bad Request error. ...for what it's worth, I'm running Visual Studio 2008 using IIS7. I feel like I'm going in circles so any help would be awesome. Thanks in advance.

  Read the article

• Unable to initialize provider. Missing or incorrect schema. for MySql.Web connector

  - by Jreeter

  Hey guys and gals running into a little issue here.. I'm trying to use MySql Connector 6.2.2.0 for membership and role providers.. The issue I'm having is: Unable to initialize provider. Missing or incorrect schema. <authentication mode="Forms"/> <roleManager defaultProvider="MySqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <clear /> <add name="MySqlRoleProvider" type="MySql.Web.Security.MySQLRoleProvider, MySql.Web, Version=6.2.2.0,Culture=neutral, PublicKeyToken=c5687fc88969c44d" connectionStringName="mySQL" applicationName="capcafe" writeExceptionsToEventLog="true" /> </providers> </roleManager> <membership defaultProvider="MySqlMembershipProvider"> <providers> <add connectionStringName="mySQL" applicationName="capcafe" minRequiredPasswordLength="5" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" minRequiredNonalphanumericCharacters="0" name="MySqlMembershipProvider" type="MySql.Web.Security.MySQLMembershipProvider, MySql.Web, Version=6.2.2.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" /> </providers> </membership> Here is the line it doesn't seem to like: Line 57: type="MySql.Web.Security.MySQLRoleProvider, MySql.Web, Version=6.2.2.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" I have both MySql.Web and MySql.Data referenced and in my bin! Any help resolving this issue will be very much appreciated

  Read the article

• How do I authenticate regarding EJB3 Container ?

  - by FMR

  I have my business classes protected by EJB3 security annotations, now I would like to call these methods from a Spring controller, how do I do it? edit I will add some information about my setup, I'm using Tomcat for the webcontainer and OpenEJB for embedding EJB into tomcat. I did not settle on any version of spring so it's more or less open to suggestions. edit current setup works this way : I have a login form + controller that puts a User pojo inside SessionContext. Each time someone access a secured part of the site, the application checks for the User pojo, if it's there check roles and then show the page, if it's not show a appropriate message or redirect to login page. Now the bussiness calls are made thanks to a call method inside User which bypass a probable security context which is a remix of this code found in openejb security examples : Caller managerBean = (Caller) context.lookup("ManagerBeanLocal"); managerBean.call(new Callable() { public Object call() throws Exception { Movies movies = (Movies) context.lookup("MoviesLocal"); movies.addMovie(new Movie("Quentin Tarantino", "Reservoir Dogs", 1992)); movies.addMovie(new Movie("Joel Coen", "Fargo", 1996)); movies.addMovie(new Movie("Joel Coen", "The Big Lebowski", 1998)); List<Movie> list = movies.getMovies(); assertEquals("List.size()", 3, list.size()); for (Movie movie : list) { movies.deleteMovie(movie); } assertEquals("Movies.getMovies()", 0, movies.getMovies().size()); return null; } });

  Read the article

• What is the optimum way to secure a company wide wiki?

  - by Mark Robinson

  We have a wiki which is used by over half our company. Generally it has been very positively received. However, there is a concern over security - not letting confidential information fall into the wrong hands (i.e. competitors). The default answer is to create a complicated security matrix defining who can read what document (wiki page) based on who created it. Personally I think this mainly solves the wrong problem because it creates barriers within the company instead of a barrier to the external world. But some are concerned that people at a customer site might share information with a customer which then goes to the competitor. The administration of such a matrix is a nightmare because (1) the matrix is based on department and not projects (this is a matrix organisation), and (2) because in a wiki all pages are by definition dynamic so what is confidential today might not be confidential tomorrow (but the history is always readable!). Apart from the security matrix, we've considered restricting content on the wiki to non super secret stuff, but off course that needs to be monitored. Another solution (the current) is to monitor views and report anything suspicious (e.g. one person at a customer site having 2000 views in two days was reported). Again - this is not ideal because this does not directly imply a wrong motive. Does anyone have a better solution? How can a company wide wiki be made secure and yet keep its low threshold USP? BTW we use MediaWiki with Lockdown to exclude some administrative staff.

  Read the article

• Read file:// URLs in IE XMLHttpRequest

  - by Dan Fabulich

  I'm developing a JavaScript application that's meant to be run either from a web server (over http) or from the file system (on a file:// URL). As part of this code, I need to use XMLHttpRequest to load files in the same directory as the page and in subdirectories of the page. This code works fine ("PASS") when executed on a web server, but doesn't work ("FAIL") in Internet Explorer 8 when run off the file system: <html><head> <script> window.onload = function() { var xhr = new XMLHttpRequest(); xhr.open("GET", window.location.href, false); xhr.send(null); if (/TestString/.test(xhr.responseText)) { document.body.innerHTML="<p>PASS</p>"; } } </script> <body><p>FAIL</p></body> Of course, at first it fails because no scripts can run at all on the file system; the user is prompted a yellow bar, warning that "To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer." But even once I click on the bar and "Allow Blocked Content" the page still fails; I get an "Access is Denied" error on the xhr.open call. This puzzles me, because MSDN says that "For development purposes, the file:// protocol is allowed from the Local Machine zone." This local file should be part of the Local Machine Zone, right? How can I get code like this to work? I'm fine with prompting the user with security warnings; I'm not OK with forcing them to turn off security in the control panel. EDIT: I am not, in fact, loading an XML document in my case; I'm loading a plain text file (.txt).

  Read the article

< Previous Page | 117 118 119 120 121 122 123 124 125 126 127 128  | Next Page >