Search Results

Search found 14784 results on 592 pages for 'spring security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 199/592 | < Previous Page | 195 196 197 198 199 200 201 202 203 204 205 206  | Next Page >

  • Is php fileinfo sufficient to prevent upload of malicious files?

    - by Scarface
    Hey guys, I have searched around a bit, and have not really found a professional type response to how to have secure fileupload capability so I wanted to get the opinion of some of the experts on this site. I am currently allowing upload of mp3s and images, and while I am pretty confident in preventing xss and injection attacks on my site, I am not really familiar with fileupload security. I basically just use php fileinfo and check an array of accepted filetypes against the filetype. For images, there is the getimagesize function and some additional checks. As far as storing them, I just have a folder within my directory, because I want the users to be able to use the files. If anyone could give me some tips I would really appreciate it.

    Read the article

  • Is context:annotation-config an alternative to @AutoWired?

    - by Antacid
    Is it correct that I can put context:annotation-config in my XML config and it will automatically inject the bean class without needing any annotations? So instead of using these annotation types: public class Mailman { private String name; @Autowired private Parcel Parcel; public Mailman(String name) { this.name = name; } @Autowired public void setParcel(Parcel Parcel) { this.Parcel = Parcel; } @Autowired public void directionsToParcel(Parcel Parcel) { this.Parcel = Parcel; } } I would just need to write this: <beans ... > <bean id="mailMan" class="MailMan"> <constructor-arg value="John Doe"/> </bean> <bean id="parcel" class="Parcel" /> <context:annotation-config /> </beans> and then my MailMan class would look a lot simpler without the need for annotations: public class Mailman { private String name; private Parcel Parcel; public Mailman(String name) { this.name = name; } }

    Read the article

  • Websphere exception handling

    - by Benjamin
    Hi all, From a security standpoint, what is the best solution to handle application errors with Websphere? I've been thinking of creating a class that is called every time an application error is generated, log the error and display a generic error message to the users. In PHP this can be achieved using the set_exception_handler() function. Is there something similar for websphere that could be configured in the web.xml? I've found codes like this on the internet: <error-page> <error-code>500</error-code> <location>/servlet/ExceptionHandlerServlet</location> </error-page> But that would only work with "500" HTTP error codes. I really want something generic that catches everything. Something like a class that implements a certain interface which can have access to all information about the error. Thanks for your time.

    Read the article

  • How to keep an Hibernate's Session open until the page is rendered

    - by Neuquino
    I'm having the following problem: I'm using Oracle ADF for the view and controller of my app. With OpenSessionInViewFilter, I intercept the request and open an Hibernate's Session, and it is closed as soon as the bean's method finishes. What I need is to keep the Session opened until the page is rendered, because in my JSP y use the lazy attributes of the object i load from the DB. For example: When I enter index.jspx the IndexBean#main() is executed: public class IndexBean{ private DBObject myDBObject; public String main(){ this.myDBObject = this.myDAO.loadObjectFromDB(); return null; } } in index.jspx I have: ... <af:inputText value="#{myDBObject.lazyAttribute}" /> ... I'd like that the Hibernate's Session keeps open until the af:inputText is processed. Is this possible? How? Thanks in advance

    Read the article

  • Secure database connection. DAL .net architecture best practice

    - by Andrew Florko
    We have several applications that are installed in several departments that interact with database via Intranet. Users tend to use weak passwords or store login/password written on a shits of paper where everybody can see them. I'm worried about login/password leakage & want to minimize consequences. Minimizing database-server attack surface by hiding database-server from Intranet access would be a great idea also. I'm thinking about intermediary data access service method-based security. It seems more flexible than table-based or connection-based database-server one. This approach also allows to hide database-server from public Intranet. What kind of .net technologies and best practices would you suggest? Thank in you in advance!

    Read the article

  • Hibernate updating records and implementing listeners : getting only required attribute values for event.getOldState()

    - by Narendra
    Hi All, I am using Hibernate 3 as my persistence framework. Below is the sample hbm file I am using. <?xml version="1.0"?> <!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd"> <hibernate-mapping> <class name="com.test.User" table="user"> <meta attribute="implements">com.test.dao.interfaces.IEntity</meta> <id name="key" type="long" column="user_key"> <generator class="increment" /> </id> <property name="userName" column="user_name" not-null="true" type="string" /> <property name="password" column="password" not-null="true" type="string" /> <property name="firstName" column="first_name" not-null="true" type="string" /> <property name="lastName" column="last_name" not-null="true" type="string" /> <property name="createdDate" column="created_date" not-null="true" type="timestamp" insert="false" update="false" /> <property name="createdBy" column="created_by" not-null="true" type="string" update="false" /> </class> </hibernate-mapping> I am added a post-update listener. What it will do is if there any updations perfomed on User then it will be invoked and cahnges will be inserted to audit table. Below is the sample implementation for postupdate event. public void onPostUpdate(PostUpdateEvent event) { LogHelper.info(logger, "Begin - onPostUpdate " + event.getEntity().getClass().getSimpleName()); if (!this.checkForAudit(event.getEntity().getClass().getSimpleName())) { // check do we need to audit it. } // Get Attribute Names String[] attrNames = event.getPersister().getEntityMetamodel() .getPropertyNames(); Object[] oldobjectValue = c Object[] newObjectValue = event.getState(); this.auditDetailsEvent(attrNames, oldobjectValue, newObjectValue); LogHelper.info(logger, "End - onPostUpdate"); // return false; } Here is my requirement. event.getPersister().getEntityMetamodel() .getPropertyNames(); or event.getOldState(); or event.getState(); must return attribute names or value which i can update or insert. Is there any way to control the return values of above one's. Pleas help me on this regard. Thanks, Narendra

    Read the article

  • Detect IE setting: check for newer versions of stored pages "never"

    - by xx
    I understand there isn't a way to interrogate a users IE settings directly due to security reasons, but is there a way to derive this answer with some other mechanism? I would like to stop a user from using my site if the setting "Check for newer versions of stored pages" is set to "Never". Any suggestions? Is there a way I could test for this using javascript? An example of what I am trying to accomplish is this: While it is not possible to check IE settings to see if you are running a popup blocker, that is a way to "test" for a popup blocker via javascript. I am looking for something similiar but for the cache setting, not the popup blocker.

    Read the article

  • Java Web Application on Tomcat - Displaying a File Uploaded by User

    - by walnutmon
    I need to display uploaded files on a web application, the flow is as follows User uploads file through web UI Validation on image Makes call to imageRepository.store( uploadedImage, user.getSite() ) The user wants the image displayed which adds <img src="${anUploadedImage.getUrl()}"/> but that is where I'm stuck, what can getUrl() do? The simple solution is to put it someplace and let Apache serve the file, but then I can't use the application to ensure that one user isn't modifying the URL to view other users files, which in this case is important

    Read the article

  • apache tiles ordering problem

    - by ivar
    I have a problem with the order of rendering tiles. The menu gets rendered first and then the body of our webpage gets rendered. Each tile has it`s own controller that handles everything that tile needs to do. There are two forms. One in the menu and one in the body. Each one changes something in the menu and in the body. The problem is that if a form in the body changes something the menu gets rendered first and then the body controller handles form things and puts data to session, but menu is already done and the session was empty. I cant turn body and menu around becaouse there are other forms that work the other way around. How to deal with this problem? I do want every tile to have its own controller that deals with everything that tile does.

    Read the article

  • sequence generators are getting ignored

    - by luvfort
    I'm getting the following error while saving a object. However similar configuration is working for other model objects in my projects. Any help would be greatly appreciated. @Entity @Table(name = "ENROLLMENT_GROUP_MEMBERSHIPS", schema = "LEAD_ROUTING") public class EnrollmentGroupMembership implements Serializable, Comparable,Auditable { @javax.persistence.SequenceGenerator(name = "enrollmentGroupMemID", sequenceName = "S_ENROLLMENT_GROUP_MEMBERSHIPS") @Id @GeneratedValue(strategy = GenerationType.AUTO, generator = "enrollmentGroupMemID") @Column(name = "ID") private Long id; @ManyToOne() @JoinColumn(name = "TIER_WEIGHT_OID", referencedColumnName = "OID", updatable = false, insertable = false) private TierWeight tierWeight; public EnrollmentGroupMembership() { } } Code: @Entity @Table(name = "TIER_WEIGHT", schema = "LEAD_ROUTING") public class TierWeight implements Serializable, Auditable { @SequenceGenerator(name = "tierSequence",sequenceName = "S_TIER_WEIGHT") @Column(name = "OID") @Id @GeneratedValue(strategy = GenerationType.AUTO, generator = "tierSequence") private Long id; @OneToMany @JoinColumn(name = "TIER_WEIGHT_OID", referencedColumnName = "OID") private Set<EnrollmentGroupMembership> memberships; public TierWeight() { } } The logic layer's code is @Override public void createTier(String tierName, float weight) { TierWeight tier = new TierWeight(); tier.setWeight(weight); tier.setTier(tierName); tierWeightDAO.create(tier); } Similar Many-one configuration is working through out the project. I don't know why this one instance is failing. Any help would be greatly appreciated. The following is the error that I'm getting Caused by: org.hibernate.id.IdentifierGenerationException: ids for this class must be manually assigned before calling save(): edu.apollogrp.d2ec.model.TierWeight at org.hibernate.id.Assigned.generate(Assigned.java:3 3) at org.hibernate.event.def.AbstractSaveEventListener. saveWithGeneratedId(AbstractSaveEventListener.java :99) The log file is telling that the sequence generator tierSequence is not getting created. However other sequence generators are getting created. 2010-06-03 11:24:51,834 DEBUG [org.hibernate.cfg.AnnotationBinder:] Processing annotations of edu.apollogrp.d2ec.model.TierWeight.dateCreated 2010-06-03 11:24:51,834 DEBUG [org.hibernate.cfg.AnnotationBinder:] Processing annotations of edu.apollogrp.d2ec.model.TierWeight.dateCreated 2010-06-03 11:24:51,834 DEBUG [org.hibernate.cfg.Ejb3Column:] Binding column DATE_CREATED unique false ....................................... ....................................... 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.AnnotationBinder:] Processing annotations of edu.apollogrp.d2ec.model.CounselorAvailability.id 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.Ejb3Column:] Binding column OID unique false 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.Ejb3Column:] Binding column OID unique false 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.AnnotationBinder:] id is an id 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.AnnotationBinder:] id is an id 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.AnnotationBinder:] Add sequence generator with name: counselorAvailabilityID 2010-06-03 11:24:51,756 DEBUG [org.hibernate.cfg.AnnotationBinder:] Add sequence generator with name: counselorAvailabilityID While debugging, I see that the org.hibernate.impl.SessionFactoryImpl is returning the "Assigned" identifierGenerator. This is horrible. I've specified the identifierGenerator as "Auto". Please see the above code. As a sidenote, I was trying to debug and seeing how the objects are getting retrieved from the database. Looks like the enrollmentgroupmembership records have the tierweight value populated. However if I look at the tierweight object, it doesn't have the enrollmentgroupmembership records. I'm puzzled. I think these two problems must be related. Maddy.

    Read the article

  • Componentizing complex functionality in an MVC web app

    - by NXT
    Hi Everyone, This is question about MVC web-app architecture, and how it can be extended to handle componentizing moderately complex units of functionality. I have an MVC style web-app with a customer facing credit card charge page. I've been asked to allow the admins to enter credit card payments as well, for times when credit cards are taken over the phone. The customer facing credit card charge section of the website is currently it's own controller, with approximately 3 pages and a login. That controller is responsible for: Customer login credential authentication Credit card data collection Calling a library to do the actual charge. reporting the results to the user. I would like to extract the card data collection pages into a component of some kind so that I can easily reuse the code on the admin side of the app. Right now my components are limited to single "view" pages with PHP style embedded Perl code. This is a simple, custom MVC framework written in Perl. Right now, controllers are called directly from the framework to service web requests. My idea is to allow controllers to be called from other controllers, so that I can componentize more complex functionality. For simplicity I think I prefer composition over inheritance, even though it will require writing a bunch of pass-through methods (actions). Being Perl, I could in theory do multiple inheritance. I'm wondering if anyone with experience in other MVC web frameworks can comment on how this sort of thing is usually done. Thank you.

    Read the article

  • Sanitizing CSS in Rails

    - by Erik
    Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

    Read the article

  • Understanding Hibernate saveOrUpdate and the Persistence Life Cycle

    - by Stephano
    The books that I've read regarding hibernate are, at best, reference tomes. They very seldom have good code examples, so I tend to use online resources for those needs. However, I've always had a problem understanding the basic idea of hibernate persistence. I've read the books and understand the concepts, but in practice, I often see results that I don't understand. Perhaps you all can help, as you have in the past. Let's look at a simple example of a dog and a cat that are friends. This isn't a rare occurrence. It also has the benefit of being much more interesting than my business case. We want a function called "saveFriends" that takes a dog name and a cat name. We'll save the Dog and then the Cat. For this example to work, the cat is going to have a reference back to the dog. I understand this isn't an ideal example, but it's cute and works for our purposes. FriendService.java public int saveFriends(String dogName, String catName) { Dog fido = new Dog(); Cat felix = new Cat(); fido.name = dogName; fido = animalDao.saveDog(fido); felix.name = catName; [ex.A]felix.friend = fido; [ex.B]felix.friend = animalDao.getDogByName(dogName); animalDao.saveCat(felix); } AnimalDao.java (extends HibernateDaoSupport) public Dog saveDog(Dog dog) { getHibernateTemplate().saveOrUpdate(dog); return dog } public Cat saveCat(Cat cat) { getHibernateTemplate().saveOrUpdate(cat); return cat; } public Dog getDogByName(String name) { return (Dog) getHibernateTemplate().find("from Dog where name=?", name).get(0); } Now, assume for a minute that I would like to use either example A or example B to save my friend. Is one better than the other to use? I'll understand if neither of those examples work, but please explain why.

    Read the article

  • Accepting bank account information in a form

    - by jeffthink
    What security concerns are there when accepting a user's bank account information (account number and routing number) via a form on a page that is using SSL, and posting it back to the server where I then curl off a HTTPS request to send that information to an ACH service like First ACH or ACH Direct via their API? We wouldn't be saving the bank account information in our database. I know another option is to use Paypal's Mass Pay API, but they think it's unprofessional (at least for their business) to require customers to have a paypal account to get paid. Thoughts?

    Read the article

  • php Form to Email sanitizing

    - by Jacob
    Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

    Read the article

  • Calculated group-by fields in MongoDB

    - by Navin Viswanath
    For this example from the MongoDB documentation, how do I write the query using MongoTemplate? db.sales.aggregate( [ { $group : { _id : { month: { $month: "$date" }, day: { $dayOfMonth: "$date" }, year: { $year: "$date" } }, totalPrice: { $sum: { $multiply: [ "$price", "$quantity" ] } }, averageQuantity: { $avg: "$quantity" }, count: { $sum: 1 } } } ] ) Or in general, how do I group by a calculated field?

    Read the article

  • Autowire not working in junit test

    - by Dave Paroulek
    I'm sure I'm missing something simple. bar gets autowired in the junit test, but why doesn't bar inside foo get autowired? @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration({"beans.xml"}) public class BarTest { @Autowired Object bar; @Test public void testBar() throws Exception { //this works assertEquals("expected", bar.someMethod()); //this doesn't work, because the bar object inside foo isn't autowired? Foo foo = new Foo(); assertEquals("expected", foo.someMethodThatUsesBar()); } }

    Read the article

  • How do I tell which account is trying to access an ASP.NET web service?

    - by Andrew Lewis
    I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?

    Read the article

  • Reason to use more cookies than just a session hash for authentication?

    - by dierre
    I usually hang out in a community using vBulletin as its bulletin board. I was looking at what this software saves as cookie in my browser. As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are: ngivbsessionhash: hash of the current session ngivbpassword: hash of the password ngivbuserid: user's id Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason. My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations. What do you think?

    Read the article

  • Reliably detect caller domain over cURL request?

    - by Utkanos
    OK so server-side security is not my forte. Basically, I'm building a service which users may use (via an SDK) only on the domain they stipulated when they signed up. The SDK calls my web service over cURL in PHP. Would I be right in thinking I cannot reliably detect the caller domain, i.e. enforce that it is the same domain they stipulated when signing up? cURL of course sends this over headers, but headers can always (?) be faked. Is there a better course of action to enforce domain for this sort of thing? (NB I'm already using an API key, too - it's just I wanted to restrict domain, too) Thanks in advance

    Read the article

  • How are CD Keys generated?

    - by The Rook
    CD Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as Security Though Obscurity, although I really have no idea how CD Keys are generated. What is a good (secure) example of CD Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators?

    Read the article

  • Html encoding in MVC input

    - by fearofawhackplanet
    I'm working through NerdDinner and I'm a bit confused about the following section... First they've added a form for creating a new dinner, with a bunch of textboxes delcared like: <%= Html.TextArea("Description") %> They then show two ways of binding form input to the model: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() { Dinner dinner = new Dinner(); UpdateModel(dinner); ... } or: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create(Dinner dinner) { ... } Ok, great, that all looks really easy so far. Then a bit later on they say: It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

    Read the article

  • Grails/Roo for a .Net developer

    - by Kynth
    I am currently picking up Grails and Roo to expand my skills and to have a bit of fun. The vast majority of training materials appear aimed at new developers or Java developers. Does anyone know of any guides, resources or have any tips and anecdotes for translating existing development experience with .Net (C#/ASP.Net/Asp.Net MVC)?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 195 196 197 198 199 200 201 202 203 204 205 206  | Next Page >