Search Results

Search found 12720 results on 509 pages for 'moss2007 security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 151/509 | < Previous Page | 147 148 149 150 151 152 153 154 155 156 157 158  | Next Page >

  • FPSE, folder permissions and SharePoint Designer

    - by David Lively
    All, A few of our internal users are editing one of our classic ASP sites (Not a SharePoint site) via Sharepoint Designer which I believe uses FrontPage Server Extensions. I would like to give a particular user author rights to a single folder - ie, /products and any items and folders it contains. Any suggestions?

    Read the article

  • Creating a secure SQL Server 2008 database environment

    - by user279521
    I am in the process of setting up a corporate SQL Server 2008 database. The data on this machine will be related to financial services. There will be low level traffic (not like your average investment broker's website). However, a secure data environment is very crucial. What would I need to know / do in order to ensure that I have a secure database?

    Read the article

  • WCF - Passing CurrentPrincipal in the Header

    - by David Ward
    I have a WCF service that needs to know the Principal of the calling user. In the constructor of the service I have: Principal = OperationContext.Current.IncomingMessageHeaders.GetHeader<MyPrincipal>("myPrincipal", "ns"); and in the calling code I have something like: using (var factory = new ChannelFactory<IMyService>(localBinding, endpoint)) { var proxy = factory.CreateChannel(); using (var scope = new OperationContextScope((IContextChannel)proxy)) { var customHeader = MessageHeader.CreateHeader("myPrincipal", "ns", Thread.CurrentPrincipal); OperationContext.Current.OutgoingMessageHeaders.Add(customHeader); newList = proxy.CreateList(); } } This all works fine. My question is, how can I avoid having to wrap all proxy method calls in the using (var scope...{ [create header and add to OperationContext]? Could I create a custom ChannelFactory that will handle adding the myPrincipal header to the operation context? Something like that would save a whole load of copy/paste which I'd rather not do but I'm not sure how to achieve it:) Thanks

    Read the article

  • Protect .net Web Service URL

    - by Nirmal
    Hello All... I have created Web Service using Asp.net 3.5. Now it's working perfectly in live windows server, and giving me perfect xml while invoking it using some url like : http://www.somedomain.com/Service.asmx?op=fetchData Now My question is when I am accessing url like : http://www.somedomain.com/Service.asmx it's listing my created web services. What if I don't wanna list down the available web services to end users. Thanks in advance...

    Read the article

  • Preventing LDAP injection

    - by Matias
    I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc. I thought that escaping equals and semicolons would be enough, but not sure. Here is a little piece of code so I can make clearer the question: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

    Read the article

  • Can not call web service with basic authentication using WCF

    - by RexM
    I've been given a web service written in Java that I'm not able to make any changes to. It requires the user authenticate with basic authentication to access any of the methods. The suggested way to interact with this service in .NET is by using Visual Studio 2005 with WSE 3.0 installed. This is an issue, since the project is already using Visual Studio 2008 (targeting .NET 2.0). I could do it in VS2005, however I do not want to tie the project to VS2005 or do it by creating an assembly in VS2005 and including that in the VS2008 solution (which basically ties the project to 2005 anyway for any future changes to the assembly). I think that either of these options would make things complicated for new developers by forcing them to install WSE 3.0 and keep the project from being able to use 2008 and features in .NET 3.5 in the future... ie, I truly believe using WCF is the way to go. I've been looking into using WCF for this, however I'm unsure how to get the WCF service to understand that it needs to send the authentication headers along with each request. I'm getting 401 errors when I attempt to do anything with the web service. This is what my code looks like: WebHttpBinding webBinding = new WebHttpBinding(); ChannelFactory<MyService> factory = new ChannelFactory<MyService>(webBinding, new EndpointAddress( "http://127.0.0.1:80/Service/Service/")); factory.Endpoint.Behaviors.Add(new WebHttpBehavior()); factory.Credentials.UserName.UserName = "username"; factory.Credentials.UserName.Password = "password"; MyService proxy = factory.CreateChannel(); proxy.postSubmission(_postSubmission); This will run and throw the following exception: "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm=realm'." And this has an inner exception of: "The remote server returned an error: (401) Unauthorized." Any thoughts about what might be causing this issue would be greatly appreciated.

    Read the article

  • WCF MessageHeaders in OperationContext.Current

    - by Nate Bross
    If I use code like this [just below] to add Message Headers to my OperationContext, will all future out-going messages contain that data on any new ClientProxy defined from the same "run" of my application? The objective, is to pass a parameter or two to each OpeartionContract w/out messing with the signature of the OperationContract, since the parameters being passed will be consistant for all requests for a given run of my client application. public void DoSomeStuff() { var proxy = new MyServiceClient(); Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); proxy.DoOperation(...); } public void DoSomeOTHERStuff() { var proxy = new MyServiceClient(); Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); proxy.DoOtherOperation(...); } In other words, is it safe to refactor the above code like this? bool isSetup = false; public void SetupMessageHeader() { if(isSetup) { return; } Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); isSetup = true; } public void DoSomeStuff() { var proxy = new MyServiceClient(); SetupMessageHeader(); proxy.DoOperation(...); } public void DoSomeOTHERStuff() { var proxy = new MyServiceClient(); SetupMessageHeader(); proxy.DoOtherOperation(...); } Since I don't really understand what's happening there, I don't want to cargo cult it and just change it and let it fly if it works, I'd like to hear your thoughts on if it is OK or not.

    Read the article

  • Magic quotes in PHP

    - by VirtuosiMedia
    According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data: if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST['lastname']); } else { $lastname = $_POST['lastname']; } I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().

    Read the article

  • ASP.NET Membership Provider - Single Login

    - by RSolberg
    I'm considering utilizing the ASP.NET Membership Provider for a few different web apps/tools with a single login approach. REQUIREMENTS User logs in to my.domain.com and sees a list of apps/tools that they have permission to use. The user selects the tool they'd like to use and clicks the link. When the tool opens, it is able to identify that they are currently logged in and who they are to identify any unique permissions to the application. I know that each app could simply point to the same back end Membership Provider DB, however will each app require a login or will it be able to identify if the user is already logged in?

    Read the article

  • Symfony user authentication using Active Directory

    - by Radu Dragomir
    Is there a way to authenticate users in symfony apps using Active Directory? Can you please point out some documentation? edit What i need is to have a transparent login in my application. The user authenticates once at windows logon, then all applications should be accessed with the same credentials without being asked for the domain\username and password again. I tried the following in a simple php script: if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="my realm"'); header('HTTP/1.0 401 Unauthorized'); exit; } else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>"; } but then i get the authentication form popped up. Is there any way to pass the header the credentials used at windows logon? Thanks, Radu.

    Read the article

  • Does each authenticated WCF client connection need a CAL?

    - by Sentax
    Just like the title says. Does each authenticated WCF client connection to a WCF server that you have developed need a windows CAL? http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx Microsoft's licensing on that page sure makes it sound like it, but I can't find anything out there that confirms, or even denies this. Anyone know?

    Read the article

  • Get a list of members of a WinNT group (C#)

    - by Keith Moore
    There are a couple of questions similar to this on stack overflow but not quite the same. I want to open, or create, a local group on a win xp computer and add members to it, domain, local and well known accounts. I also want to check whether a user is already a member so that I don't add the same account twice, and presumably get an exception. So far I started using the DirectoryEntry object with the WinNT:// provider. This is going ok but I'm stuck on how to get a list of members of a group? Anyone know how to do this? Or provide a better solution than using DirectoryEntry?

    Read the article

  • Encrypted AES key too large to Decrypt with RSA (Java)

    - by Petey B
    Hello, I am trying to make a program that Encrypts data using AES, then encrypts the AES key with RSA, and then decrypt. However, once i encrypt the AES key it comes out to 128 bytes. RSA will only allow me to decrypt 117 bytes or less, so when i go to decrypt the AES key it throws an error. Relavent code: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); KeyPair kpa = kpg.genKeyPair(); pubKey = kpa.getPublic(); privKey = kpa.getPrivate(); updateText("Private Key: " +privKey +"\n\nPublic Key: " +pubKey); updateText("Encrypting " +infile); //Genereate aes key KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); // 192/256 SecretKey aeskey = kgen.generateKey(); byte[] raw = aeskey.getEncoded(); SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); updateText("Encrypting data with AES"); //encrypt data with AES key Cipher aesCipher = Cipher.getInstance("AES"); aesCipher.init(Cipher.ENCRYPT_MODE, skeySpec); SealedObject aesEncryptedData = new SealedObject(infile, aesCipher); updateText("Encrypting AES key with RSA"); //encrypt AES key with RSA Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); byte[] encryptedAesKey = cipher.doFinal(raw); updateText("Decrypting AES key with RSA. Encrypted AES key length: " +encryptedAesKey.length); //decrypt AES key with RSA Cipher decipher = Cipher.getInstance("RSA"); decipher.init(Cipher.DECRYPT_MODE, privKey); byte[] decryptedRaw = cipher.doFinal(encryptedAesKey); //error thrown here because encryptedAesKey is 128 bytes SecretKeySpec decryptedSecKey = new SecretKeySpec(decryptedRaw, "AES"); updateText("Decrypting data with AES"); //decrypt data with AES key Cipher decipherAES = Cipher.getInstance("AES"); decipherAES.init(Cipher.DECRYPT_MODE, decryptedSecKey); String decryptedText = (String) aesEncryptedData.getObject(decipherAES); updateText("Decrypted Text: " +decryptedText); Any idea on how to get around this?

    Read the article

  • Prevent SQL injection from form-generated SQL - NO PreparedStmts

    - by Markos Fragkakis
    Hi all, I have a search table where user will be able to filter results with a filter of the type: Field [Name], Value [John], Remove Rule Field [Surname], Value [Blake], Remove Rule Field [Has Children], Value [Yes], Remove Rule Add Rule So the user will be able to set an arbitrary set of filters, which will result essentially in a completely dynamic WHERE clause. In the future I will also have to implement more complicated logical expressions, like Where (name=John OR name=Nick) AND (surname=Blake OR surname=Bourne), Of all 10 fields the user may or may not filter by, I don't know how many and which filters the user will set. So, I cannot use a prepared statement (which assumes that at least we know the fields in the WHERE clause). This is why prepared statements are unfortunately out of the question, I have to do it with plain old, generated SQL. What measures can I take to protect the application from SQL Injection (REGEX-wise or any other way)?

    Read the article

  • "Authorize" attribute and 403 error page

    - by zerkms
    [Authorize] property is nice and handy MS invention, and I hope it can solve the issues I have now To be more specific: When current client isn't authenticated - [Authorize] redirects from secured action to logon page and after logon was successfull - brings user back, this is good. But when current cilent already authenticated but not authorized to run specific action - all I need is to just display my general 403 page. Is it possible without moving authorization logic within controller's body? UPD: The behavior I need in should be semantically equals to this sketch: public ActionResult DoWork() { if (!NotAuthorized()) { return RedirectToAction("403"); } return View(); } so - there should no any redirect and url should be stay the same, but contents of the page should be replaced with 403-page

    Read the article

  • Pattern for verifying authenticity of a request to WCF service

    - by fung
    I have a client app that makes calls to a WCF service. This app is on a public computer that's easily accessible and anyone can easily copy the .EXE and .CONFIG of my app into another machine and start using it. Is there a pattern where I can check if the request is coming only from an app on a computer I installed it on and not on one it has been copied to? Thanks in advance.

    Read the article

  • Javascript Injection and Sql Script injection

    - by Pranali Desai
    Hi All, I am writing an application and for this to make it safe I have decided to HtmlEncode and HtmlDecode the data to avoid Javascript Injection and Paramaterised queries to avoid Sql Script injection. But I want to know whether these are the best ways to avoid these attacks and what are the other ways to damage the application that I should take into consideration.

    Read the article

  • Silverlight 4 - elevated permission *inside* the browser

    - by Doug
    I know Silverlight 4 can handle elevated permissions outside the browser. Is there a way to accomplish this inside the browser? I need to make a folder/file upload manager that gives a better user experience than the standard , and I'd like to implement it in Silverlight. I know Java has an option to gain elevated permissions, but you have to attach a signed certificate to your app. Does Silverlight 4 have a similar option - to gain elevated permissions by attaching a signed certificate (after warning the user, of course)? -Doug

    Read the article

  • MembershipProvider, IPrincipal, IIdentity?

    - by MRFerocius
    Hello guys; I have a conceptual question... I am making an Intranet application (Web platform) for a company. I have a SQL Server DB with these tables: Users (userID, userName, userPass, roleID) Roles (roleID, roleName) Pages (pageID, pageURL) RolesXPages(pageID, roleID) How is the best way to create a structure to store all this information while the user navigates the site, I mean, on the thread I should be able to check his role, his pages (the ones he can access) I have been reading and there is a lot of stuff there where Im confused, I saw the MembershipProvider, IPrincipal, IIdentity, etc classes but Im not sure what should be the best one for me. Any thoughts... Thanks in advance! Edit: Everytime gets more confusing... I just want to handle those structures at runtime and be able to mantain state during page callbacks or changing pages...

    Read the article

  • Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

    - by jmcd
    We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronizer Token Pattern: "In general, developers need only generate this token once for the current session." Which is how I think the ASP.NET MVC AntiForgeryToken works. In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

    Read the article

  • How to implement SAML SSO

    - by A_M
    How is SAML SSO typically implemented? I've read this about using SAML with Google Apps, and the wikipedia entry on SAML. The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on? The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form). Is this the standard way of doing this? Using redirects and JavaScript for form submission? Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 147 148 149 150 151 152 153 154 155 156 157 158  | Next Page >