Search Results

Search found 13853 results on 555 pages for 'soa security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 173/555 | < Previous Page | 169 170 171 172 173 174 175 176 177 178 179 180  | Next Page >

  • "Authorize" attribute and 403 error page

    - by zerkms
    [Authorize] property is nice and handy MS invention, and I hope it can solve the issues I have now To be more specific: When current client isn't authenticated - [Authorize] redirects from secured action to logon page and after logon was successfull - brings user back, this is good. But when current cilent already authenticated but not authorized to run specific action - all I need is to just display my general 403 page. Is it possible without moving authorization logic within controller's body? UPD: The behavior I need in should be semantically equals to this sketch: public ActionResult DoWork() { if (!NotAuthorized()) { return RedirectToAction("403"); } return View(); } so - there should no any redirect and url should be stay the same, but contents of the page should be replaced with 403-page

    Read the article

  • Javascript Injection and Sql Script injection

    - by Pranali Desai
    Hi All, I am writing an application and for this to make it safe I have decided to HtmlEncode and HtmlDecode the data to avoid Javascript Injection and Paramaterised queries to avoid Sql Script injection. But I want to know whether these are the best ways to avoid these attacks and what are the other ways to damage the application that I should take into consideration.

    Read the article

  • Silverlight 4 - elevated permission *inside* the browser

    - by Doug
    I know Silverlight 4 can handle elevated permissions outside the browser. Is there a way to accomplish this inside the browser? I need to make a folder/file upload manager that gives a better user experience than the standard , and I'd like to implement it in Silverlight. I know Java has an option to gain elevated permissions, but you have to attach a signed certificate to your app. Does Silverlight 4 have a similar option - to gain elevated permissions by attaching a signed certificate (after warning the user, of course)? -Doug

    Read the article

  • Pattern for verifying authenticity of a request to WCF service

    - by fung
    I have a client app that makes calls to a WCF service. This app is on a public computer that's easily accessible and anyone can easily copy the .EXE and .CONFIG of my app into another machine and start using it. Is there a pattern where I can check if the request is coming only from an app on a computer I installed it on and not on one it has been copied to? Thanks in advance.

    Read the article

  • MembershipProvider, IPrincipal, IIdentity?

    - by MRFerocius
    Hello guys; I have a conceptual question... I am making an Intranet application (Web platform) for a company. I have a SQL Server DB with these tables: Users (userID, userName, userPass, roleID) Roles (roleID, roleName) Pages (pageID, pageURL) RolesXPages(pageID, roleID) How is the best way to create a structure to store all this information while the user navigates the site, I mean, on the thread I should be able to check his role, his pages (the ones he can access) I have been reading and there is a lot of stuff there where Im confused, I saw the MembershipProvider, IPrincipal, IIdentity, etc classes but Im not sure what should be the best one for me. Any thoughts... Thanks in advance! Edit: Everytime gets more confusing... I just want to handle those structures at runtime and be able to mantain state during page callbacks or changing pages...

    Read the article

  • How to implement SAML SSO

    - by A_M
    How is SAML SSO typically implemented? I've read this about using SAML with Google Apps, and the wikipedia entry on SAML. The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on? The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form). Is this the standard way of doing this? Using redirects and JavaScript for form submission? Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).

    Read the article

  • [Architecture] Roles for white-label service access.

    - by saurabhj
    Okay, I know I'm doing something wrong - but can't figure out a better way. I am developing a website which is going to allow users to setup their own mini-websites. Something like Ning. Also, I have only 1 basic login and access to each mini website is provided (right now) via roles. So the way I am doing this right now is: Everytime a new mini website is created - say blah, I create 2 roles in my application. blah_users and blah_admin The user creating the mini website is given the role - blah_admin and every other user wanting to join this mini website (or network) is given the role - blah_user. Anyone can view data from any website. However to add data, one must be a member of that mini site (must have the blah_user role assigned) The problem that I am facing is that by doing a role based system, I'm having to do loads of stuff manually. Asp.Net 2 controls which work on the User.IsAunthenticated property are basically useless to me now because along with the IsAuthenticated property, I must also check if the user has the proper role. I'm guessing there is a better way to architect the system but I am not sure how. Any ideas? This website is being developed in ASP.Net 2 on IIS 6. Thanks a tonne!

    Read the article

  • Programatical authentication in J2EE 6

    - by Kevin
    Hello, is it possible to authenticate programmatically a user in J2ee 6? Let me explain with some more details: I've got an existing Java SE project with Servlets and hibernate; where I manage manually all the authentication and access control: class Authenticator { int Id string username } Authenticator login(string username, string password) ; void doListData(Authenticator auth) { if (isLoggedIn(auth)) listData(); else doListError } void doUpdateData (Authenticator auth) { if (isLoggedAsAdmin(auth)) updateData() ; else doListError(); } void doListError () { listError() ; } And Im integrating J2ee/jpa/servlet 3/... (Glassfish 3) in this project. I've seen anotations like : @RolesAllowed ("viewer") void doListdata (...) { istData() ; } @RolesAllowed("admin") void doUpdateData (...) { updateData() ; } @PermotAll void dolisterror () { listerror() ; } but how can I manually state, in login(), that my user is in the admin and/or viewer role?

    Read the article

  • want to build an alarm app in iphone.

    - by Sumit Kr Singh
    Hi, I want to build an alarm application for iphone. I want to ignore iphone device state and volume buttons state. I want to play sound anyhow in full volume and also want that user cant modify volume using iphone hardware buttons while sound is played. Does anybody know how to implement it? Please post the code here....... Thankx in Advance.......

    Read the article

  • What is the best "forgot my password" method?

    - by Edward Tanguay
    I'm programming a community website. I want to build a "forgot my password" feature. Looking around at different sites, I've found they employ one of three options: send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon) send the user an email with a new, randomly generated password (Wordpress) send the user his current password (www.teach12.com) Option #3 seems the most convenient to the user but since I save passwords as an MD5 hash, I don't see how option #3 would be available to me since MD5 is irreversible. This also seems to be insecure option since it means that the website must be saving the password in clear text somewhere, and at the least the clear-text password is being sent over insecure e-mail to the user. Or am I missing something here? So if I can't do option #1, option #2 seems to be the simplest to program since I just have to change the user's password and send it to him. Although this is somewhat insecure since you have to have a live password being communicated via insecure e-mail. However, this could also be misused by trouble-makers to pester users by typing in random e-mails and constantly changing passwords of various users. Option #1 seems to be the most secure but requires a little extra programming to deal with a hidden URL that expires etc., but it seems to be what the big sites use. What experience have you had using/programming these various options? Are there any options I've missed?

    Read the article

  • How to use the Rhino javascript engine in an applet

    - by Robber
    For my java program I'm using Rhino to execute JS scripts. Now I'm trying to convert it to an applet which works great, except that everytime it's calling evaluateString(...) the JVM throws an AccessControlException. After some (a lot) of research I found out that this is caused by Rhino's custom classloader. My problem is that after hours of googling I still can't find a way to stop Rhino from trying to load it's own classloader. I hope someone can help me...

    Read the article

  • Authlogic, logout and credential capture

    - by Paddy
    Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance. This is what i did: I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine! Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google. I noticed the same with stack overflow's openid authentication system. Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before had not logged out from google and say.. changed his password!! Should i be paranoid?

    Read the article

  • .Net - using FileIOPermission with mask in file name

    - by Max Gontar
    Hello! I would like to apply FileIOPermission on set of files using mask in file name, ex. on all txt files in folder C:\TMP: [type: FileIOPermission(SecurityAction.PermitOnly, Read = @"C:\TMP\*.txt")] class SomeClass { static void testPermissions() { Console.WriteLine("allowed action"); File.OpenRead(@"C:\TMP\1.txt"); // <--- here goes exception Console.WriteLine("denied action"); try { File.Create(@"C:\TMP\2.txt"); } catch (Exception e) { Console.WriteLine(e.Message); } finally { Console.ReadKey(); } } } This throws ArgumentException "Illegal characters in path." What is wrong? Is it possible to achieve anyway?

    Read the article

  • Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

    - by jmcd
    We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronizer Token Pattern: "In general, developers need only generate this token once for the current session." Which is how I think the ASP.NET MVC AntiForgeryToken works. In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

    Read the article

  • HTTP requests and Apache modules: Creative attack vectors

    - by pinkgothic
    Slightly unorthodox question here: I'm currently trying to break an Apache with a handful of custom modules. What spawned the testing is that Apache internally forwards requests that it considers too large (e.g. 1 MB trash) to modules hooked in appropriately, forcing them to deal with the garbage data - and lack of handling in the custom modules caused Apache in its entirety to go up in flames. Ouch, ouch, ouch. That particular issue was fortunately fixed, but the question's arisen whether or not there may be other similar vulnerabilities. Right now I have a tool at my disposal that lets me send a raw HTTP request to the server (or rather, raw data through an established TCP connection that could be interpreted as an HTTP request if it followed the form of one, e.g. "GET ...") and I'm trying to come up with other ideas. (TCP-level attacks like Slowloris and Nkiller2 are not my focus at the moment.) Does anyone have a few nice ideas how to confuse the server and/or its modules to the point of self-immolation? Broken UTF-8? (Though I doubt Apache cares about encoding - I imagine it just juggles raw bytes.) Stuff that is only barely too long, followed by a 0-byte, followed by junk? et cetera I don't consider myself a very good tester (I'm doing this by necessity and lack of manpower; I unfortunately don't even have a more than basic grasp of Apache internals that would help me along), which is why I'm hoping for an insightful response or two or three. Maybe some of you have done some similar testing for your own projects? (If stackoverflow is not the right place for this question, I apologise. Not sure where else to put it.)

    Read the article

  • SQL Server 2008, Kerberos and SPN

    - by andrew007
    Hi, I installed SQL Server 2008 on a Win XP SP2 workstation in a AD domain and configured to run with the "Network Service" account. In my error log I have the following message (Event ID:26037): The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. **Error: 0xd, state: 13**. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. The strange thing is that I have another SQL Server 2008 installation in a Win 2003 server configured in the same way and there I do not have this message. My questions are: Does anybody know if there are limitations with Kerberos on Windows XP and SQL Server? Why the SPN is not automatically registered on Win XP when I use the "Network Service" but it works on Windows 2003 server? THANKS!

    Read the article

  • Secure hash and salt for PHP passwords

    - by luiscubal
    It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. Is “double hashing” a password less secure than just hashing it once? Suggests that hashing multiple times may be a good idea. How to implement password protection for individual files? Suggests using salt. I'm using PHP. I want a safe and fast password encryption system. Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety? Also, I'd prefer the result to have a constant number of characters. The hashing mechanism must be available in PHP It must be safe It can use salt (in this case, are all salts equally good? Is there any way to generate good salts?) Also, should I store two fields in the database(one using MD5 and another one using SHA, for example)? Would it make it safer or unsafer? In case I wasn't clear enough, I want to know which hashing function(s) to use and how to pick a good salt in order to have a safe and fast password protection mechanism. EDIT: The website shouldn't contain anything too sensitive, but still I want it to be secure. EDIT2: Thank you all for your replies, I'm using hash("sha256",$salt.":".$password.":".$id) Questions that didn't help: What's the difference between SHA and MD5 in PHP Simple Password Encryption Secure methods of storing keys, passwords for asp.net How would you implement salted passwords in Tomcat 5.5

    Read the article

  • Secure ajax form POST

    - by user194630
    I was wondering how to develop a secure form post through AJAX. For example, i have: My HTML form. My JavaScript handling the submit. The submit url is "post_data.php" The posted data is: id=8&name=Denis The PHP verifies if variables id and name are POSTED and their data type. If this is ok it proceed to do some stuff on a database. My question is, how can i prevent someone from creating his own html form, outside my web site, or whatever, and posting false data to my PHP script? Imagine that data realy exists on my database, this could be bad. Thanks

    Read the article

  • Looking for DOS/DDOS protection tools and strategies

    - by Alexandre Victoor
    I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 169 170 171 172 173 174 175 176 177 178 179 180  | Next Page >