Search Results

Search found 29513 results on 1181 pages for 'microsoft security essent'.

Page 253/1181 | < Previous Page | 249 250 251 252 253 254 255 256 257 258 259 260  | Next Page >

• Windows Phone 7 : des utilisateurs victimes de consommation fictive de données, Microsoft prend le problème très au sérieux

  Windows Phone 7 : des utilisateurs victimes de consommation fictive de données Microsoft prend le problème très au sérieux et enquête Microsoft a déclaré à la BBC qu'il était en train d'enquêter sur un problème de consommation élevée de données dont sont victimes les utilisateurs des téléphones sous Windows Phone 7. L'enquête fait suite aux plaintes de plusieurs utilisateurs dont les téléphones auraient transmis et réceptionnés une quantité importante de données sans que ceux-ci ne soient au courant. Certains s'en sont aperçus après avoir reçu un message d'avertissement les informant qu'ils avaient presque atteint la limite de consommation qui leur était permis alors qu'ils...

  Read the article

• Microsoft rejette le standard WebGL jugé "dangereux" suite à la découverte de multiples failles critiques sur Firefox

  Microsoft rejette le standard WebGL jugé « dangereux » Suite à la découverte de multiples failles critiques sur Firefox L'avenir du standard WebGL sur Internet Explorer s'annonce très incertain. Microsoft rejette ce standard d'affichage 3D pour le Web, au moins dans sa forme actuelle qu'il juge « dangereuse » dans une dépêche faisant suite à la découverte de plusieurs nouvelles failles critiques sur l'implémentation de Mozilla Firefox. Des failles qui pourraient être présentes sur Google Chrome également. Sur le blog de recherche en sécurité et défense, l'équipe MSRC de Redmond affirme que « le support de WebGL dans les navigateurs ...

  Read the article

• Microsoft dote Azure d'un service spécial, qui permet d'envoyer un disque dur pour importer/exporter les données dans les datacenter de la firme

  Microsoft dote Azure d'un service spécial Qui permet d'envoyer un disque dur pour importer/exporter les données dans les datacenter de la firmeMicrosoft continue d'étoffer sa gamme de services Cloud à travers sa plateforme Windows Azure.La firme de Redmond vient d'ajouter un service baptisé Import/Export qui offre la possibilité aux utilisateurs d'envoyer des disques durs contenant leurs données directement dans les Datacenter de Microsoft afin que l'upload y soit faite de façon locale. Toutefois...

  Read the article

• Google Chrome sur le point d'intégrer le framework WebRTC soutenu par la fondation Mozilla, une sérieuse menace pour Microsoft Skype ?

  Google Chrome sur le point d'intégrer le framework WebRTC Soutenu par la fondation Mozilla, une sérieuse menace pour Microsoft Skype ? Mise à jour du 23/06/2011 Google Chrome est sur le point d'avoir des capacités de communication audio et vidéo en natif qui pourraient permettre à n'importe quelle application Web de rivaliser avec Skype, le célèbre logiciel de VoIP, propriété de Microsoft désormais. Ces nouvelles fonctionnalités seront fondées sur le framework Web...

  Read the article

• Windows Azure : consultez les ressources proposées par Microsoft, participez au Quiz et gagnez des t-shirts et peut-être un Nokia Lumia

  Windows Azure : consultez les ressources proposées par Microsoft participez au Quiz et gagnez des t-shirts et peut-être un Nokia LumiaEn exclusivité pour les lecteurs de Developpez.com, l'équipe de la plateforme Cloud Azure de Microsoft a préparé des vidéos, tutoriels et bien d'autres que nous partageons chaque semaine.En début de la semaine suivante, des questions vous seront posées. Tous ceux qui auront au minimum 80 % de bonnes réponses gagneront un t-shirt et seront de facto sélectionnés pour...

  Read the article

• Windows Azure fête ses un an, utilisez-vous et connaissez-vous bien la plateforme Cloud de Microsoft dédiée aux développeurs ?

  Windows Azure fête ses un an Utilisez-vous et connaissez-vous la plateforme Cloud de Microsoft dédiée aux développeurs ? En collaboration avec Hinault Romarick Le virage de Microsoft vers le Cloud Computing a été marqué par la sortie de plusieurs produits (Dynamic CRM OnLine, Office 365, les Office Web Apps, etc.). Mais c'est bien l'arrivée de sa plate-forme dédiée aux développeurs, Windows Azure, qui a montré son implication dans le IaaS (Infrastructure à la demande) et le PaaS (Plateforme à la demande). Présentée pour la première fois lors de la conférence PDC 2008, c'est en ...

  Read the article

• Microsoft centralise les services du Windows Store au sein d'une plateforme unique, pour éviter aux développeurs des pertes de temps inutiles

  Microsoft centralise les services du Windows Store au sein d'une plateforme unique pour éviter aux développeurs des pertes de temps inutilesLes développeurs occupent une place de choix au sein de l'écosystème Microsoft. La firme jusqu'ici a toujours montré son ambition de vouloir offrir à ceux-ci des outils simples pour le développement, la monétisation et le suivi des applications sur le Windows Store.C'est dans cette optique que la société présente se nouvelle plateforme unique qui centralise tous les services pouvant être utilisés sur la galerie d'applications pour Windows.Le but de cette initiative est d'éviter aux développeurs des pertes de temps inutiles dans la recherche d'un kit de dévelo...

  Read the article

• Microsoft dote Windows Phone 8.1 d'un gestionnaire de fichiers, "Files" disponible en téléchargement sur le store Windows Phone

  Microsoft lance Files pour Windows Phone 8.1 le gestionnaire de fichiers de l'OS mobile« Chose promise, chose due ». Microsoft avait annoncé en début du mois dernier des travaux sur un gestionnaire de fichiers pour les utilisateurs de son système d'exploitation Windows Phone 8.1. Celui-ci est désormais accessible.Disponible en téléchargement comme une application autonome sur le store Windows Phone, la solution ajoute à l'OS les fonctionnalités traditionnelles d'un gestionnaire de fichiers que...

  Read the article

• Microsoft publie son rapport semestriel SIRv16, l'état des lieux sur la sécurité note la montée en puissance des kits d'exploits

  Microsoft publie son rapport semestriel SIRv16, l'état des lieux sur la sécurité note la montée en puissance des kits d'exploits Microsoft a publié le 16e volume de son rapport semestriel SIR (Security Intelligence Report) qui a couvert les menaces de sécurité durant le semestre passé (juillet à décembre 2013). Les cinq pays recensant le plus grand nombre d'attaques au cours de la période sont respectivement le Pakistan, l'Indonésie, l'Algérie, la Tunisie et l'Inde avec un pourcentage d'infection...

  Read the article

• Microsoft souhaiterait vendre 100 millions de Windows Phone en 2012, les raisons de la non-prise en charge du dual-core par l'OS divulguées

  Microsoft a pour objectif de vendre 100 millions de Windows Phone en 2012 Les raisons de la non-prise en charge des processeurs dual-core par l'OS divulguées Microsoft aurait pour objectif interne de commercialiser plus de 100 millions de terminaux Windows Phone en 2012 d'après WMPowerUser, d'une source non divulguée. L'éditeur pourrait atteindre cet objectif ambitieux, si le constructeur Nokia amplifie sa production de terminaux Windows Phone à travers le monde avec des modèles différents. Selon WMPowerUser, les opérateurs s'attendraient à voir Windows Phone prendre 30% de parts de marché de smartphones en 2012. Une estimation qui rejoint celle

  Read the article

• Microsoft dévoile la Preview de Windows Azure Mobile Services, qui fournit un Backend pour les applications mobiles et Windows 8

  Microsoft dévoile la Preview de Windows Azure Mobile Services qui fournit un Backend pour les applications mobiles et Windows 8 La plateforme d'hébergement Cloud Windows Azure vient de s'enrichir d'un nouveau service. Microsoft vient d'annoncer l'ouverture de la Preview de Windows Azure Mobile Services pour les développeurs d'applications mobiles et Windows 8. Windows Azure Mobile Services est une plateforme Backend as a services, qui fournit une solution clef en main dans le Cloud, permettant d'accélérer le développement d'applications connectées côté client. Le service rationalise le processus de développement en permettant d'exploiter le Cloud pour des scénario...

  Read the article

• Microsoft donne un accès gratuit à Office 365 aux élèves à condition que les enseignants aient tous une licence

  Microsoft donne un accès gratuit à Office 365 aux élèves à condition que les enseignants aient tous une licence Lors de la conférence Educause 2013, Microsoft a annoncé le lancement d'un nouveau programme, Student Advantage, qui permettrait aux élèves d'avoir accès gratuitement à Office 365 à condition que leur scolarité soit totalement réglée. Ainsi, dès le 1er décembre, toute institution académique disposant de licences Office 365 ProPlus ou Office Professionnel Plus pour tout son corps...

  Read the article

• Windows 8.1 RT de retour sur le Windows Store, Microsoft corrige l'erreur qui empêchait l'installation de l'OS

  Windows 8.1 RT de retour sur le Windows Store Microsoft corrige l'erreur qui empêchait l'installation de l'OS Mise à jour du 23/10/13Les utilisateurs de tablettes sur Windows 8.1 peuvent reprendre avec le téléchargement et l'installation de la mise à jour Windows 8.1 RT sur leur dispositif.La mise à jour avait été retirée du Windows Store suite à un bogue pouvant entrainer l'échec de l'installation de Windows 8.1 sur certains dispositifs et l'affichage de l'écran bleu.Microsoft avait indiqué...

  Read the article

• Windows Azure : Microsoft effectue une série de mises à jour sur son service Cloud, l'entreprise mise sur la simplicité des opérations

  Windows Azure : Microsoft effectue une série de mises à jour sur son service Cloud, l'entreprise mise sur la simplicité des opérations Microsoft a annoncé le déploiement d'un ensemble de mises à jour pour son service Cloud. Parmi les nouveautés figurent la disponibilité générale des services de restauration. Windows Azure Backup permet aux administrateurs et aux développeurs de sauvegarder de manière sélective. Toutes les données sont chiffrées sur place avant d'être envoyées sur le Cloud....

  Read the article

• Write-only collections in MongoDB

  - by rcoder

  I'm currently using MongoDB to record application logs, and while I'm quite happy with both the performance and with being able to dump arbitrary structured data into log records, I'm troubled by the mutability of log records once stored. In a traditional database, I would structure the grants for my log tables such that the application user had INSERT and SELECT privileges, but not UPDATE or DELETE. Similarly, in CouchDB, I could write a update validator function that rejected all attempts to modify an existing document. However, I've been unable to find a way to restrict operations on a MongoDB database or collection beyond the three access levels (no access, read-only, "god mode") documented in the security topic on the MongoDB wiki. Has anyone else deployed MongoDB as a document store in a setting where immutability (or at least change tracking) for documents was a requirement? What tricks or techniques did you use to ensure that poorly-written or malicious application code could not modify or destroy existing log records? Do I need to wrap my MongoDB logging in a service layer that enforces the write-only policy, or can I use some combination of configuration, query hacking, and replication to ensure a consistent, audit-able record is maintained?

  Read the article

• Microsoft SyncFramework - Sync different tables into one

  - by evnu

  Hello, we are trying to get the Microsoft SyncFramework running in our application to synchronize an oracle db with a mobile device. Problem The queries that we need to gather the data on the oracle db take much time (and we haven't found a way to speed them up yet), so we try to split them up in as much portions as possible. One big part of the whole problem is, that we need different information out of one big table, that bloats a query if combined. Unfortunately, the SyncFramework allows only one TableAdapter per SyncTable. Now this is a problem for our application: If we were able to use more than one TableAdapter per SyncTable, we could easily spread the queries in a more efficient way. Using one query per Table which combines all the needed data takes way too much time. Ideas I thought of creating different TableAdapters for each one of the required queries and then merge the resulting datasets afterwards (preferably on the server). This seems to work, but is a rather awkward solution. Does someone of you know a better solution? Or do you have some ideas that could help? Thanks in advance, evnu EDIT: So, I implemented the merge solution. If you are interested, take a look at the following code. I'll give more details if there are questions. <WebMethod()> _ Public Function GetChanges(ByVal groupMetadata As SyncGroupMetadata, ByVal syncSession As SyncSession) As SyncContext Dim stream As MemoryStream Dim format As BinaryFormatter = New BinaryFormatter Dim anchors As Dictionary(Of String, Byte()) ' keep track of the tables that will be updated Dim addTables As Dictionary(Of String, List(Of SyncTableMetadata)) = New Dictionary(Of String, List(Of SyncTableMetadata)) ' list of all present anchors Dim allAnchors As Dictionary(Of String, Byte()) = New Dictionary(Of String, Byte()) ' fill allAnchors - deserialize all given anchors For Each Table As SyncTableMetadata In groupMetadata.TablesMetadata If Table.LastReceivedAnchor Is Nothing Or Table.LastReceivedAnchor.IsNull Then Continue For stream = New MemoryStream(Table.LastReceivedAnchor.Anchor) anchors = format.Deserialize(stream) For Each item As KeyValuePair(Of String, Byte()) In anchors allAnchors.Add(item.Key, item.Value) Next stream.Dispose() Next For Each Table As SyncTableMetadata In groupMetadata.TablesMetadata If allAnchors.ContainsKey(Table.TableName) Then Table.LastReceivedAnchor.Anchor = allAnchors(Table.TableName) End If Dim addSyncTables As List(Of SyncTableMetadata) If syncSession.SyncParameters.Contains(Table.TableName) Then Dim tableNames() As String = syncSession.SyncParameters(Table.TableName).Value.ToString.Split(":") addSyncTables = New List(Of SyncTableMetadata) For Each tableName As String In tableNames Dim newSynctable As SyncTableMetadata = New SyncTableMetadata newSynctable.TableName = tableName If allAnchors.ContainsKey(tableName) Then Dim anker As SyncAnchor = New SyncAnchor(allAnchors(tableName)) newSynctable.LastReceivedAnchor = anker Else newSynctable.LastReceivedAnchor = Nothing End If newSynctable.SyncDirection = Table.SyncDirection addSyncTables.Add(newSynctable) Next addTables.Add(Table.TableName, addSyncTables) End If Next ' add the newly created synctables For Each item As KeyValuePair(Of String, List(Of SyncTableMetadata)) In addTables For Each Table As SyncTableMetadata In item.Value groupMetadata.TablesMetadata.Add(Table) Next Next ' fire queries Dim context As SyncContext = servSyncProvider.GetChanges(groupMetadata, syncSession) ' merge resulting datasets For Each item As KeyValuePair(Of String, List(Of SyncTableMetadata)) In addTables For Each Table As SyncTableMetadata In item.Value If context.DataSet.Tables.Contains(Table.TableName) Then If Not context.DataSet.Tables.Contains(item.Key) Then Dim tmp As DataTable = context.DataSet.Tables(Table.TableName).Copy tmp.TableName = item.Key context.DataSet.Tables.Add(tmp) Else context.DataSet.Tables(item.Key).Merge(context.DataSet.Tables(Table.TableName)) context.DataSet.Tables.Remove(Table.TableName) End If End If Next Next ' create new anchors Dim allAnchorsDict As Dictionary(Of String, Byte()) = New Dictionary(Of String, Byte()) For Each Table As SyncTableMetadata In groupMetadata.TablesMetadata allAnchorsDict.Add(Table.TableName, context.NewAnchor.Anchor) Next stream = New MemoryStream format.Serialize(stream, allAnchorsDict) context.NewAnchor.Anchor = stream.ToArray stream.Dispose() Return context End Function

  Read the article

• input type file alternative and file upload best practice

  - by Ioxp

  Background: I am working on a file upload page that will extend an existing web portal. This page will allow for an end user to upload files from there local computer to our network (the files will not be stored on the web server, rather a remote workstation). The end user will have the ability to view the data that they have submitted by hyper-linking the files that have been uploaded on this page. Question 1: Is there an ASP.net alternative to the <input type="file" runat="server" /> HTML tag? The reason for asking is i would rather use an image button and display the file as an asp label on the portal to keep with a consistent style. Question 2: So i understand that giving the end user the ability to upload files to the server and then turn around to show them the data that they posted poses a security threat. So far i am using the id.PostedFile.ContentType and the file extension to reject the data if its not an accepted format (i.e. "text/plain", "application/pdf", "application/vnd.ms-excel", or "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"). Also the location where the files are uploaded to has a sufficient amount of virus and malware protection and this is not a concern. What, from the C# point of view, additional steps should i take to ensure that the end user cant take advantage and compromise the system in regards to allowing them to upload files?

  Read the article

• How to authenticate a Windows Mobile client calling web services in a Web App

  - by cdonner

  I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application. Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application. I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability. My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client). Can I do that, is that a good idea, and are there any code examples/references that you can point me to?

  Read the article

• How to secure Add child record functionality in MVC on Parent's view?

  - by RSolberg

  I'm trying to avoid some potential security issues as I expose some a new set of functionality into the real world. This is basically functionality that will allow for a new comment to be added via a partialview on the "Parent" page. My comment needs to know a couple of things, first what record is the comment for and secondly who is making the comment. I really don't like using a hidden field to store the ID for the Parent record in the add comment form as that can be easily changed with some DOM mods. How should I handle this? PARENT <% Html.RenderPartial("AddComment", Model.Comments); %> CHILD <%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl<CommentsViewModel>" %> <% using (Html.BeginForm("AddComment", "Requests")) {%> <fieldset> <legend>New Comment</legend> <%= Html.HiddenFor(p => p.RequestID) %> <%= Html.TextBoxFor(p => p.Text) %> &nbsp; <input type="submit" value="Add" /> </fieldset> <% } %> CONTROLLER [AcceptVerbs(HttpVerbs.Post)] public void AddComment(CommentsViewModel commentsModel) { var user = GetCurrentUser(); commentsModel.CreatedByID = user.UserID; RequestsService.AddComment(commentsModel); }

  Read the article

• Applying business logic to form elements in ASP.NET MVC

  - by Brettski

  I am looking for best practices in applying business logic to form elements in an ASP.NET MVC application. I assume the concepts would apply to most MVC patterns. The goal is to have all the business logic stem from the same place. I have a basic form with four elements: Textbox: for entering data Checkbox: for staff approval Checkbox: for client approval Button: for submitting form The textbox and two check boxes are fields in a database accessed using LINQ to SQL. What I want to do is put logic around the check boxes on who can check them and when. True table (little silly but it's an example): when checked || may check Staff || may check Client Staff | Client || Staff | Client || Staff | Client 0 0 || 1 0 0 1 0 1 || 0 0 0 1 1 0 || 1 0 0 1 1 1 || 0 0 0 1 There are to security roles, staff and client; a person's role determines who they are, the roles are maintained in the database alone with current state of the check boxes. So I can simply store the users roll in the view class and enable and disable check boxes based on their role, but this doesn't seem proper. That is putting logic in UI to control of which actions can be taken. How do I get most of this control down into the model? I mean I need to control which check boxes are enabled and then check the results in the model when the form is posted, so it seems the best place for it to originate. I am looking for a good approach to constructing this, something to follow as I build the application. If you know of some great references which explain these best practices that is really appreciated too.

  Read the article

• WCF Service Impersonation

  - by robalot

  Good Day Everyone... Apparently, I'm not setting-up impersonation correctly for my WCF service. I do NOT want to set security on a method-by-method basis (in the actual code-behind). The service (at the moment) is open to be called by everyone on the intranet. So my questions are… Q: What web-config tags am I missing? Q: What do I need to change in the web-config to make impersonation work? The Service Web.config Looks Like... <configuration> <system.web> <authorization> <allow users="?"/> </authorization> <authentication mode="Windows"/> <identity impersonate="true" userName="MyDomain\MyUser" password="MyPassword"/> </system.web> <system.serviceModel> <services> <service behaviorConfiguration="wcfFISH.DataServiceBehavior" name="wcfFISH.DataService"> <endpoint address="" binding="wsHttpBinding" contract="wcfFISH.IFishData"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="wcfFISH.DataServiceBehavior"> <serviceMetadata httpGetEnabled="false"/> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>

  Read the article

• Clipboard Copy-Paste doesn't work on Win Server 2008/Vista 64bit

  - by Itay Levin

  Hi, I am trying to use Clipboard API (in Delphi) to extract images from Word documents. my code works OK in Windows XP/2003 but in windows 2008 64 bit it doesn't work. in win 2008 i get an error saying that Clipboard.Formats is empty and doesn't contain any format. The image seems to be copied to the Clipboard (i can see it in the clipboard via Word) but when i try to ask the clipboard what format does he have it said it doesn't have any formats. how can i access the clipboard programmatically on win 2008/Vista? from what i know of 2008 64 bit, it might be a security issue... here is the code snippet: This is how i am trying to copy the Image to the clipboard: W.ActiveDocument.InlineShapes.Item(1).Select; // W is a word ole object W.Selection.Copy; and this is how i try to paste it. Clipboard.Open; Write2DebugFile('FormatCount = ' + IntToStr(Clipboard.FormatCount)); // FormatCount=0 For JJ := 1 to Clipboard.FormatCount Do Write2DebugFile('#'+ IntToStr(JJ) + ':' + IntToStr(Clipboard.Formats[JJ])); If (Clipboard.HasFormat(CF_BITMAP)) or (Clipboard.HasFormat(CF_PICTURE)) or (Clipboard.HasFormat(CF_METAFILEPICT)) then // all HasFormat calls returns false. Begin Jpeg := TJPEGImage.Create; Bitmap := TBitmap.Create; Bitmap.LoadFromClipboardFormat(cf_BitMap,ClipBoard.GetAsHandle(cf_Bitmap),0); Jpeg.Assign(Bitmap); Jpeg.SaveToFile(JpgFileN); try Jpeg.Free; except; end; ResizeImage(JpgFileN,750); Write2DebugFile('Saving ' + JpgFileN); End else Write2DebugFile('Doesnt have the right format'); Thanks in advance, Itay

  Read the article

• Is an LSA MSV1_0 subauthentication package needed for some impersonation use cases?

  - by Chris Sears

  Greetings, I'm working with a vendor who has implemented some code that uses a Windows LSA MSV1_0 subauthentication package (MSDN info if you're interested: http://msdn.microsoft.com/en-us/library/aa374786(VS.85).aspx ) and I'm trying to figure out if it's necessary. As far as I can tell, the subauthentication routine and filter allow for hooking or customizing the standard LSA MSV1_0 logon event processing. The issue is that I don't understand why the vendor's product would need these capabilities. I've asked them and they said they use it to perform impersonation. The product definitely does need to do impersonation, but based on my limited win32 knowledge, they could get the functionality they need using the normal auth APIs (LsaLogonUser, ImpersonateLoggedOnUser, etc) without the subauthentication package. Furthermore, I've worked with a number of similar products that all do impersonation, and this is the only one that's used a subauthentication package. If you're wondering why I would care, a previous version of the product had a bug in the subauthentication package dll that would cause lockups or bluescreens. That makes me rather nervous and has me questioning the use of such a low-level, kernel sensitive interface. I'd like to go back to the vendor and say "There's no way you could need an LSA subauth package for impersonation - take it out", but I'm not sure I understand the use cases and possible limitations of the standard win32 authentication/impersonation APIs well enough to make that claim definitively. So, to the win32 security gurus out there, is there any reason you would need an LSA MSV1_0 subauthentication package if all you were doing is impersonation? Thanks in advance for any thoughts!

  Read the article

• ACL architechture for a Software As a service in Spring 3.0

  - by geoaxis

  I am making a software as a service using Spring 3.0 (Spring MVC, Spring Security, Spring Roo, Hibernate) I have to come up with a flexible access control list mechanism.I have three different kinds of users System (who can do any thing to the system, includes admin and internal daemons) Operations (who can add and delete users, organizations, and do maintenance work on behalf of users and organizations) End Users (they belong to one or more organization, for each organization, the user can have one or more roles, like being organization admin, or organization read-only member) (role like orgadmin can also add users for that organization) Now my question is, how should i model the entity of User? If I just take the End User, it can belong to one or more organizations, so each user can contain a set of references to its organizations. But how do we model the users role for each organization, So for example User UX belongs to organizations og1, og2 and og3, and for og1 he is both orgadmin, and org-read-only-user, where as for og2 he is only orgadmin and for og3 he is only org-read-only-user I have the possibility of making each user belong to one organization alone, but that's making the system bounded and I don't like that idea (although i would still satisfy the requirement) If you have a better extensible ACL architecture, please suggest it. Since its a software as a service, one would expect that alot of different organizations would be part if the same system. I had one concern that it is not a good idea to keep og1 and og2 data on the same DB (if og1 decides to spawn a 100 reports on the system, og2 should not suffer) But that is some thing advanced for now and is not directly related to ACL but to the physical distribution of data and setup of services based on those ACLs This is a community Wiki question, please correct any thing which you wish to do so. Thanks

  Read the article

• Secure Password Storage and Transfer

  - by Andras Zoltan

  I'm developing a new user store for my organisation and am now tackling password storage. The concepts of salting, HMAC etc are all fine with me - and want to store the users' passwords either salted and hashed, HMAC hashed, or HMAC salted and hashed - not sure what the best way will be - but in theory it won't matter as it will be able to change over time if required. I want to have an XML & JSON service that can act as a Security Token Service for client-side apps. I've already developed one for another system, which requires that the client double-encrypts a clear-text password using SHA1 first and then HMACSHA1 using a 128 unique key (or nonce) supplied by the server for that session only. I'd like to repeat this technique for the new system - upgrading the algo to SHA256 (chosen since implementations are readily available for all aforementioned platforms - and it's much stronger than SHA1) - but there is a problem. If I'm storing the password as a salted hash in the user-store, the client will need to be sent that salt in order to construct the correct hash before being HMACd with the unique session key. This would completely go against the point of using a salt in the first place. Equally, if I don't use salt for password storage, but instead use HMAC, it's still the same problem. At the moment, the only solution I can see is to use naked SHA256 hashing for the password in the user store, so that I can then use this as a starting point on both the server and the client for a more secure salted/hmacd password transfer for the web service. This still leaves the user store vulnerable to a dictionary attack were it ever to be accessed; and however unlikely that might be - assuming it will never happen simply doesn't sit well with me. Greatly appreciate any input.

  Read the article

< Previous Page | 249 250 251 252 253 254 255 256 257 258 259 260  | Next Page >