Search Results

Search found 14878 results on 596 pages for 'mod security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 210/596 | < Previous Page | 206 207 208 209 210 211 212 213 214 215 216 217  | Next Page >

  • How to allow three optional parameters in the URL by .htaccess?

    - by eij
    I have http://example.com and a PHP routing class that checks if some URL exists. I want to make a new route, which is: http://example.com/foo/bar/123 but as long as I open it, the Apache redirects me to an error page. So I'm using a .htaccess. The code is: RewriteEngine on RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*) /index.php [L] and it works, as long as I use http://example.com/foo, but once I add some other parameters, it redirects me to an error. I'm guessing that the rewrite code is wrong. Is it wrong? If yes, could you suggest me the good one? If no, where the problem could be located?

    Read the article

  • how do I redirect from one page to another with mod_rewrite?

    - by Dan
    All the advice online says do: rewrite 301 URL-A URL-B But that won't work if I turn on mod_rewrite (it seems?) with RewriteEngine on So, I'm bad a regex, but shouldn't need it here. How do I do: RewriteCond %{HTTP_HOST} ^untamed-adventures.com/travel/How/tabid/58/Default.aspx [NC] RewriteRule ^(.*)$ http://untamed-adventures.com/ [R=301,L]

    Read the article

  • Convert to lowercase in a mod_rewrite rule.

    - by dreeves
    I would like URLs like server.com/foo to be case-insensitive. But server.com/foo actually gets mod_rewrite'd to server.com/somedir/foo (Assume that all the files in "somedir" are lower case.) So the question is, how to accomplish a mod_rewrite like the following: RewriteRule ^([^/]+)/?$ somedir/convert_to_lowercase($1)

    Read the article

  • mod_perl2 send original requested url

    - by spoier
    Hello all, I have a mod_perl module to intercept the http response fase but I just want to intercept it and satisfy that request... In other words, I want to get the request and return what the client requested... I have something like this: use strict; use Apache2::RequestRec (); # for $r->content_type use Apache2::RequestIO (); # for $r->puts use Apache2::Const -compile => qw(:common); sub handler { my $r = shift; $r->content_type('text/html'); return Apache2::Const::OK; } 1; Apparently it doesn't work...

    Read the article

  • Have all internal links in drupal leave out subdirectory where docroot resides

    - by Levi Wallach
    I've successfully followed some instructions online to get our plain url to direct to the content found in a subfolder (drupaldev) so that when you enter any url for that site even without the subdirectory name, it serves the correct page. However, I cannot figure out how to remove the internal links on the site that reference the '/drupaldev/' subdirectory. This is what my .htaccess file includes: RewriteRule ^$ drupaldev/index.php [L] RewriteCond %{DOCUMENT_ROOT}/drupaldev%{REQUEST_URI} -f RewriteRule .* drupaldev/$0 [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule .* drupaldev/index.php?q=$0 [QSA] And this is what my settings.php file contains: $base_url = 'http://www.bluewaterfederal.com'; As you can see, if you mouse over any of the links within the site, they all mention drupaldev, but if you take that same url and remove the "drupaldev" from it, it works fine...

    Read the article

  • Using .htaccess to change my website URLs

    - by James P
    I have some pages organised like this: http://localhost/index.html http://localhost/download.html http://localhost/contact.html And I need them changed to suit the following URL structure: http://localhost/ http://localhost/download http://localhost/contact Without making sub directories and putting in pages as index.html. As far as I know .htaccess can be used for this, but I have no idea what I need to add to my .htaccess file to make this work. Can anyone provide some help? Thanks.

    Read the article

  • not rewriting .asp files using htaccess

    - by user2939099
    I have .asp files re-writing themselves to .php files using htaccess and a rewrite rule on another site. it works fine but I am trying to do the same on my other site with one URL and it doesn't work. both have mod_rewrite enabled and on similar servers. (Apache v3.22.17 rev9999 / PHP v5.4.21) <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.+).(asp)$ $1.php [L] </IfModule> this is the full htaccess code.. can you see anything wrong with this?

    Read the article

  • Apache/mod_rewrite > Tomcat encoding %26 and "&"...

    - by user293479
    Apache is the front-end to my web app then I use mod_rewrite to proxy the request to JBoss. So far this sounds pretty standard, but the problem I am having is: if I access the app directly through jboss @ http://localhost:8080/app/page?raw=foo%26bar&page=1: request.getParameter("raw") = foo&bar If I access the app through Apache @ http://localhost/foo%26bar&page=1 request.getParameter("raw") = foo So somewhere along the way, the %26 is lost and replaced with an & which chops the raw variable. This is my Apache rewrite rule. RewriteRule ^/(.*) \ http://localhost:8080/app/home?raw=$1 [L,P] The Apache access log shows: http://localhost/foo%26bar&page=1 And the rewrite log shows: http://localhost:8080/app/home?raw=foo&bar&page=1 But I want the request to be: http://localhost:8080/app/home?raw=foo%26bar&page=1 I am pretty sure that this also occurs with slashes / too so to me this is some sort of encoding issue. Is there a way to proxy the URL untouched? Can't seem to figure this one out.

    Read the article

  • How to rewrite a URL with %23 in it?

    - by Jan P.
    I have a (wordpress) blog where after commenting the users are redirected back to the page with an anchor to their comment. Should look like this: http://example.org/foo-bar/#comment-570630 But somehow I get a lot of 404 ins my logfiles for such URLs: http://example.org/foo-bar/%23comment-570630 Is there a way to write a .htaccess rewrite rule to fix this? Bonus question: Any idea why this happens and what I can do about it?

    Read the article

  • mod_rewrite replace all instances of ampersand with %26 for later

    - by Supernovah
    Hey there! I want to simply not use ampersand in my URL so I can pass ampersands further down into my system when a file is requested. The problem is Apache deals with it differently. I don't know how I already rewrite the requested file to index.php?url=$1 so I can see what it was, but if it has an ampersand in there, it can't continue past it! how can I escape the ampersand or turn it into it's hex equal (%26)? <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php?url=$1 [QSA,L] </IfModule>`

    Read the article

  • Platform for Efficiency: Boeing Defense, Space & Security integrates supply chain processes using Oracle Business Process Management solutions. by Fred Sandsmark

    - by JuergenKress
    Like most companies, aerospace giant Boeing has its jargon - words and phrases that uniquely define its products and processes. Take the word platform. It is used at Boeing to mean a family of aircraft - the F/A-18 fighter, for example, or the 777 jetliner. Boeing Defense, Space & Security since August 2009, employees in the Global Services & Support (GS&S) division of Boeing Defense, Space & Security have been talking about a different sort of platform: a supply chain technology platform, based on Oracle Business Process Management (Oracle BPM) solutions and Oracle SOA Suite. That platform, built with the assistance of Oracle Diamond Partner Capgemini, is serving as a jumping-off point for Boeing's GS&S staff to deploy radically improved business processes supported by Oracle Fusion Applications to build a high-visibility, end-to-end supply chain. This business process-driven technology platform has ambitious goals: to help GS&S respond more quickly and accurately to its customers' needs, to make business processes at all GS&S sites more consistent and less expensive, and to create a foundation for further improvement and efficiency. Read the full article here. Want to publish your BPM11g success story - request for a partner/customer reference? BPM Center of Excellent & First 100 Days of BPM documents to our SOA Community Workspace MWD_bpm_si_Centre_of_Excellence_0811.pdf First 100 Days of BPM whitepaper.pdf Please visit our SOA Community Workspace (SOA Community membership required). SOA & BPM Partner Community For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit  www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center. Blog Twitter LinkedIn Mix Forum Technorati Tags: BPM,BPM reference,BPM Capgemini,BPM first 100 days,BPM center of Excellence,SOA Community,Oracle SOA,Oracle BPM,Community,OPN,Jürgen Kress

    Read the article

  • How Security Products Are Made; An Interview with BitDefender

    - by Jason Fitzpatrick
    Most of us use anti-virus and malware scanners, without giving the processes behind their construction and deployment much of a thought. Get an inside look at security product development with this BitDefender interview. Over at 7Tutorials they took a trip to the home offices of BitDefender for an interview with Catalin Co?oi–seen here–BitDefender’s Chief Security Researcher. While it’s notably BitDefender-centric, it’s also an interesting look at the methodology employed by a company specializing in virus/malware protection. Here’s an excerpt from the discussion about data gathering techniques: Honeypots are systems we distributed across our network, that act as victims. Their role is to look like vulnerable targets, which have valuable data on them. We monitor these honeypots continuously and collect all kinds of malware and information about black hat activities. Another thing we do, is broadcast fake e-mail addresses that are automatically collected by spammers from the Internet. Then, they use these addresses to distribute spam, malware or phishing e-mails. We collect all the messages we receive on these addresses, analyze them and extract the required data to update our products and keep our users secure and spam free. Hit up the link below for the full interview. How To Properly Scan a Photograph (And Get An Even Better Image) The HTG Guide to Hiding Your Data in a TrueCrypt Hidden Volume Make Your Own Windows 8 Start Button with Zero Memory Usage

    Read the article

  • Unable to get HTTPS MEX endpoint to work

    - by Rahul
    I have been trying to configure WCF to work with Azure ACS. This WCF configuration has 2 bugs: It does not publish MEX end point. It does not invoke custom behaviour extension. (It just stopped doing that after I made some changes which I can't remember) What could be possibly wrong here? <configuration> <configSections> <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <location path="FederationMetadata"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <system.web> <compilation debug="true" targetFramework="4.0"> <assemblies> <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </assemblies> </compilation> </system.web> <system.serviceModel> <services> <service name="production" behaviorConfiguration="AccessServiceBehavior"> <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" /> <endpoint address="" binding="customBinding" contract="Samples.RoleBasedAccessControl.Service.IService1" bindingConfiguration="serviceBinding" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="AccessServiceBehavior"> <federatedServiceHostConfiguration /> <sessionExtension/> <useRequestHeadersForMetadataAddress> <defaultPorts> <add scheme="http" port="8000" /> <add scheme="https" port="8443" /> </defaultPorts> </useRequestHeadersForMetadataAddress> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpsGetEnabled="true" /> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="true" /> <serviceCredentials> <!--Certificate added by FedUtil. Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.--> <serviceCertificate findValue="XXXXXXXXXXXXXXX" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> <extensions> <behaviorExtensions> <add name="sessionExtension" type="Samples.RoleBasedAccessControl.Service.RsaSessionServiceBehaviorExtension, Samples.RoleBasedAccessControl.Service, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </behaviorExtensions> </extensions> <protocolMapping> <add scheme="http" binding="customBinding" bindingConfiguration="serviceBinding" /> <add scheme="https" binding="customBinding" bindingConfiguration="serviceBinding"/> </protocolMapping> <bindings> <customBinding> <binding name="serviceBinding"> <security authenticationMode="SecureConversation" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" requireSecurityContextCancellation="false"> <secureConversationBootstrap authenticationMode="IssuedTokenOverTransport" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"> <issuedTokenParameters> <additionalRequestParameters> <AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>https://127.0.0.1:81/</Address> </EndpointReference> </AppliesTo> </additionalRequestParameters> <claimTypeRequirements> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" /> <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" /> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" /> <add claimType="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" isOptional="true" /> </claimTypeRequirements> <issuerMetadata address="https://XXXXYYYY.accesscontrol.windows.net/v2/wstrust/mex" /> </issuedTokenParameters> </secureConversationBootstrap> </security> <httpsTransport /> </binding> </customBinding> </bindings> </system.serviceModel> <system.webServer> <modules runAllManagedModulesForAllRequests="true" /> </system.webServer> <microsoft.identityModel> <service> <audienceUris> <add value="http://127.0.0.1:81/" /> </audienceUris> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="THUMBPRINT HERE" name="https://XXXYYYY.accesscontrol.windows.net/" /> </trustedIssuers> </issuerNameRegistry> <certificateValidation certificateValidationMode="None" /> </service> </microsoft.identityModel> <appSettings> <add key="FederationMetadataLocation" value="https://XXXYYYY.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml " /> </appSettings> </configuration> Edit: Further implementation details I have the following Behaviour Extension Element (which is not getting invoked currently) public class RsaSessionServiceBehaviorExtension : BehaviorExtensionElement { public override Type BehaviorType { get { return typeof(RsaSessionServiceBehavior); } } protected override object CreateBehavior() { return new RsaSessionServiceBehavior(); } } The namespaces and assemblies are correct in the config. There is more code involved for checking token validation, but in my opinion at least MEX should get published and CreateBehavior() should get invoked in order for me to proceed further.

    Read the article

  • Write-only collections in MongoDB

    - by rcoder
    I'm currently using MongoDB to record application logs, and while I'm quite happy with both the performance and with being able to dump arbitrary structured data into log records, I'm troubled by the mutability of log records once stored. In a traditional database, I would structure the grants for my log tables such that the application user had INSERT and SELECT privileges, but not UPDATE or DELETE. Similarly, in CouchDB, I could write a update validator function that rejected all attempts to modify an existing document. However, I've been unable to find a way to restrict operations on a MongoDB database or collection beyond the three access levels (no access, read-only, "god mode") documented in the security topic on the MongoDB wiki. Has anyone else deployed MongoDB as a document store in a setting where immutability (or at least change tracking) for documents was a requirement? What tricks or techniques did you use to ensure that poorly-written or malicious application code could not modify or destroy existing log records? Do I need to wrap my MongoDB logging in a service layer that enforces the write-only policy, or can I use some combination of configuration, query hacking, and replication to ensure a consistent, audit-able record is maintained?

    Read the article

  • input type file alternative and file upload best practice

    - by Ioxp
    Background: I am working on a file upload page that will extend an existing web portal. This page will allow for an end user to upload files from there local computer to our network (the files will not be stored on the web server, rather a remote workstation). The end user will have the ability to view the data that they have submitted by hyper-linking the files that have been uploaded on this page. Question 1: Is there an ASP.net alternative to the <input type="file" runat="server" /> HTML tag? The reason for asking is i would rather use an image button and display the file as an asp label on the portal to keep with a consistent style. Question 2: So i understand that giving the end user the ability to upload files to the server and then turn around to show them the data that they posted poses a security threat. So far i am using the id.PostedFile.ContentType and the file extension to reject the data if its not an accepted format (i.e. "text/plain", "application/pdf", "application/vnd.ms-excel", or "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"). Also the location where the files are uploaded to has a sufficient amount of virus and malware protection and this is not a concern. What, from the C# point of view, additional steps should i take to ensure that the end user cant take advantage and compromise the system in regards to allowing them to upload files?

    Read the article

  • How to authenticate a Windows Mobile client calling web services in a Web App

    - by cdonner
    I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application. Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application. I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability. My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client). Can I do that, is that a good idea, and are there any code examples/references that you can point me to?

    Read the article

  • How to secure Add child record functionality in MVC on Parent's view?

    - by RSolberg
    I'm trying to avoid some potential security issues as I expose some a new set of functionality into the real world. This is basically functionality that will allow for a new comment to be added via a partialview on the "Parent" page. My comment needs to know a couple of things, first what record is the comment for and secondly who is making the comment. I really don't like using a hidden field to store the ID for the Parent record in the add comment form as that can be easily changed with some DOM mods. How should I handle this? PARENT <% Html.RenderPartial("AddComment", Model.Comments); %> CHILD <%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl<CommentsViewModel>" %> <% using (Html.BeginForm("AddComment", "Requests")) {%> <fieldset> <legend>New Comment</legend> <%= Html.HiddenFor(p => p.RequestID) %> <%= Html.TextBoxFor(p => p.Text) %> &nbsp; <input type="submit" value="Add" /> </fieldset> <% } %> CONTROLLER [AcceptVerbs(HttpVerbs.Post)] public void AddComment(CommentsViewModel commentsModel) { var user = GetCurrentUser(); commentsModel.CreatedByID = user.UserID; RequestsService.AddComment(commentsModel); }

    Read the article

  • Applying business logic to form elements in ASP.NET MVC

    - by Brettski
    I am looking for best practices in applying business logic to form elements in an ASP.NET MVC application. I assume the concepts would apply to most MVC patterns. The goal is to have all the business logic stem from the same place. I have a basic form with four elements: Textbox: for entering data Checkbox: for staff approval Checkbox: for client approval Button: for submitting form The textbox and two check boxes are fields in a database accessed using LINQ to SQL. What I want to do is put logic around the check boxes on who can check them and when. True table (little silly but it's an example): when checked || may check Staff || may check Client Staff | Client || Staff | Client || Staff | Client 0 0 || 1 0 0 1 0 1 || 0 0 0 1 1 0 || 1 0 0 1 1 1 || 0 0 0 1 There are to security roles, staff and client; a person's role determines who they are, the roles are maintained in the database alone with current state of the check boxes. So I can simply store the users roll in the view class and enable and disable check boxes based on their role, but this doesn't seem proper. That is putting logic in UI to control of which actions can be taken. How do I get most of this control down into the model? I mean I need to control which check boxes are enabled and then check the results in the model when the form is posted, so it seems the best place for it to originate. I am looking for a good approach to constructing this, something to follow as I build the application. If you know of some great references which explain these best practices that is really appreciated too.

    Read the article

  • WCF Service Impersonation

    - by robalot
    Good Day Everyone... Apparently, I'm not setting-up impersonation correctly for my WCF service. I do NOT want to set security on a method-by-method basis (in the actual code-behind). The service (at the moment) is open to be called by everyone on the intranet. So my questions are… Q: What web-config tags am I missing? Q: What do I need to change in the web-config to make impersonation work? The Service Web.config Looks Like... <configuration> <system.web> <authorization> <allow users="?"/> </authorization> <authentication mode="Windows"/> <identity impersonate="true" userName="MyDomain\MyUser" password="MyPassword"/> </system.web> <system.serviceModel> <services> <service behaviorConfiguration="wcfFISH.DataServiceBehavior" name="wcfFISH.DataService"> <endpoint address="" binding="wsHttpBinding" contract="wcfFISH.IFishData"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="wcfFISH.DataServiceBehavior"> <serviceMetadata httpGetEnabled="false"/> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>

    Read the article

  • Clipboard Copy-Paste doesn't work on Win Server 2008/Vista 64bit

    - by Itay Levin
    Hi, I am trying to use Clipboard API (in Delphi) to extract images from Word documents. my code works OK in Windows XP/2003 but in windows 2008 64 bit it doesn't work. in win 2008 i get an error saying that Clipboard.Formats is empty and doesn't contain any format. The image seems to be copied to the Clipboard (i can see it in the clipboard via Word) but when i try to ask the clipboard what format does he have it said it doesn't have any formats. how can i access the clipboard programmatically on win 2008/Vista? from what i know of 2008 64 bit, it might be a security issue... here is the code snippet: This is how i am trying to copy the Image to the clipboard: W.ActiveDocument.InlineShapes.Item(1).Select; // W is a word ole object W.Selection.Copy; and this is how i try to paste it. Clipboard.Open; Write2DebugFile('FormatCount = ' + IntToStr(Clipboard.FormatCount)); // FormatCount=0 For JJ := 1 to Clipboard.FormatCount Do Write2DebugFile('#'+ IntToStr(JJ) + ':' + IntToStr(Clipboard.Formats[JJ])); If (Clipboard.HasFormat(CF_BITMAP)) or (Clipboard.HasFormat(CF_PICTURE)) or (Clipboard.HasFormat(CF_METAFILEPICT)) then // all HasFormat calls returns false. Begin Jpeg := TJPEGImage.Create; Bitmap := TBitmap.Create; Bitmap.LoadFromClipboardFormat(cf_BitMap,ClipBoard.GetAsHandle(cf_Bitmap),0); Jpeg.Assign(Bitmap); Jpeg.SaveToFile(JpgFileN); try Jpeg.Free; except; end; ResizeImage(JpgFileN,750); Write2DebugFile('Saving ' + JpgFileN); End else Write2DebugFile('Doesnt have the right format'); Thanks in advance, Itay

    Read the article

  • Is an LSA MSV1_0 subauthentication package needed for some impersonation use cases?

    - by Chris Sears
    Greetings, I'm working with a vendor who has implemented some code that uses a Windows LSA MSV1_0 subauthentication package (MSDN info if you're interested: http://msdn.microsoft.com/en-us/library/aa374786(VS.85).aspx ) and I'm trying to figure out if it's necessary. As far as I can tell, the subauthentication routine and filter allow for hooking or customizing the standard LSA MSV1_0 logon event processing. The issue is that I don't understand why the vendor's product would need these capabilities. I've asked them and they said they use it to perform impersonation. The product definitely does need to do impersonation, but based on my limited win32 knowledge, they could get the functionality they need using the normal auth APIs (LsaLogonUser, ImpersonateLoggedOnUser, etc) without the subauthentication package. Furthermore, I've worked with a number of similar products that all do impersonation, and this is the only one that's used a subauthentication package. If you're wondering why I would care, a previous version of the product had a bug in the subauthentication package dll that would cause lockups or bluescreens. That makes me rather nervous and has me questioning the use of such a low-level, kernel sensitive interface. I'd like to go back to the vendor and say "There's no way you could need an LSA subauth package for impersonation - take it out", but I'm not sure I understand the use cases and possible limitations of the standard win32 authentication/impersonation APIs well enough to make that claim definitively. So, to the win32 security gurus out there, is there any reason you would need an LSA MSV1_0 subauthentication package if all you were doing is impersonation? Thanks in advance for any thoughts!

    Read the article

  • ACL architechture for a Software As a service in Spring 3.0

    - by geoaxis
    I am making a software as a service using Spring 3.0 (Spring MVC, Spring Security, Spring Roo, Hibernate) I have to come up with a flexible access control list mechanism.I have three different kinds of users System (who can do any thing to the system, includes admin and internal daemons) Operations (who can add and delete users, organizations, and do maintenance work on behalf of users and organizations) End Users (they belong to one or more organization, for each organization, the user can have one or more roles, like being organization admin, or organization read-only member) (role like orgadmin can also add users for that organization) Now my question is, how should i model the entity of User? If I just take the End User, it can belong to one or more organizations, so each user can contain a set of references to its organizations. But how do we model the users role for each organization, So for example User UX belongs to organizations og1, og2 and og3, and for og1 he is both orgadmin, and org-read-only-user, where as for og2 he is only orgadmin and for og3 he is only org-read-only-user I have the possibility of making each user belong to one organization alone, but that's making the system bounded and I don't like that idea (although i would still satisfy the requirement) If you have a better extensible ACL architecture, please suggest it. Since its a software as a service, one would expect that alot of different organizations would be part if the same system. I had one concern that it is not a good idea to keep og1 and og2 data on the same DB (if og1 decides to spawn a 100 reports on the system, og2 should not suffer) But that is some thing advanced for now and is not directly related to ACL but to the physical distribution of data and setup of services based on those ACLs This is a community Wiki question, please correct any thing which you wish to do so. Thanks

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 206 207 208 209 210 211 212 213 214 215 216 217  | Next Page >