Search Results

Search found 13222 results on 529 pages for 'security gate'.

Page 29/529 | < Previous Page | 25 26 27 28 29 30 31 32 33 34 35 36  | Next Page >

  • How to inherit from DataAnnotations.ValidationAttribute (it appears SecureCritical under Visual Stud

    - by codetuner
    Hi, I have an [AllowPartiallyTrustedCallers] class library containing subtypes of the System.DataAnnotations.ValidationAttribute. The library is used on contract types of WCF services. In .NET 2/3.5, this worked fine. Since .NET 4.0 however, running a client of the service in the Visual Studio debugger results in the exception "Inheritance security rules violated by type: '(my subtype of ValidationAttribute)'. Derived types must either match the security accessibility of the base type or be less accessible." (System.TypeLoadException) The error appears to occure only when all of the following conditions are met: a subclass of ValidationAttribute is in an AllowPartiallyTrustedCallers assembly reflection is used to check for the attribute the Visual Studio hosting process is enabled (checkbox on Project properties, Debug tab) So basically, in Visual Studio.NET 2010: create a new Console project, add a reference to "System.ComponentModel.DataAnnotations" 4.0.0.0, write the following code: . using System; [assembly: System.Security.AllowPartiallyTrustedCallers()] namespace TestingVaidationAttributeSecurity { public class MyValidationAttribute : System.ComponentModel.DataAnnotations.ValidationAttribute { } [MyValidation] public class FooBar { } class Program { static void Main(string[] args) { Console.WriteLine("ValidationAttribute IsCritical: {0}", typeof(System.ComponentModel.DataAnnotations.ValidationAttribute).IsSecurityCritical); FooBar fb = new FooBar(); fb.GetType().GetCustomAttributes(true); Console.WriteLine("Press enter to end."); Console.ReadLine(); } } } Press F5 and you get the exception ! Press Ctrl-F5 (start without debugging), and it all works fine without exception... The strange thing is that the ValidationAttribute will or will not be securitycritical depending on the way you run the program (F5 or Ctrl+F5). As illustrated by the Console.WriteLine in the above code. But then again, this appear to happen with other attributes (and types?) too. Now the questions... Why do I have this behaviour when inheriting from ValidationAttribute, but not when inheriting from System.Attribute ? (Using Reflector I don't find special settings on the ValidationAttribute class or it's assembly) And what can I do to solve this ? How can I keep MyValidationAttribute inheriting from ValidationAttribute in an AllowPartiallyTrustedCallers assembly without marking it SecurityCritical, still using the new .NET 4 level 2 security model and still have it work using the VS.NET debug host (or other hosts) ?? Thanks a lot! Rudi

    Read the article

  • Spring-Security with X509?

    - by jschoen
    I am new to spring-security in general and am a bit confused. The project I am trying to integrate this with uses X509 certificates to identify users for signing in to the application. There are no usernames or passwords. We validate the certificates are good, and that they have been given access to our app. The question is how do I integrate spring in to this to get their roles using the X509 certificates? I have seen this: <http> ... <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/> ... </http> But I don't understand how this works. Will it still require something for a password? Or is the subject all it needs?

    Read the article

  • Jersey, Spring, Tomcat and Security Annotations

    - by jr
    I need to secure a simple jersey RESTful API in a Tomcat 6.0.24 container. I'd like to keep the authentication with Basic Authentication using the tomcat-users.xml file to define the users and roles (this is for now, like I said its small). Now, for authorization I'd like to be able to use the JSR 250 annotations like @RolesAllowed, @PermitAll, @DenyAll, etc. I cannot for the life of me figure out how to wire this all up together. I really don't want to go spring-security route, since I need something very simple at the current time. Can someone point me in the right direction.

    Read the article

  • Visual Studio / Visual Source Safe / Integrated Security / IIS 7

    - by Jason
    Using Visual Source Safe with IIS integration (the working dir is the IIS site) Visual Studio, pointed to the IIS site would load up the Web project. It would be under VSS control (have to check out files, etc). Recently, we had to switch to Integrated Security for our database connections from the web app. This means changing the impersonation of the IIS app pool (and anon authentication) to the impersonated account. Since I did this -- my project loads in Visual Studio, but it acts as if I'm not me, and the files aren't under source control anymore. I'm going to assume it's something with the pass-through from IIS to the VSS (as if you'll remember you had to add IIS_USERS to the VSS list of users). Even trying to add the impersonated account didn't work. Any ideas?

    Read the article

  • How to tell wether Code Access Security is allowed in library code

    - by Sander Rijken
    in .NET 4 Code Access Security (CAS) is deprecated. Whenever you call a method that implicitly uses it, it fails with a NotSupportedException, that can be resolved with a configuration switch that makes it fall back to the old behavior. We have a common library that's used in both .NET 3.5 and .NET 4, so we need to be able to tell wether or not we should use the CAS method. For example, in .NET 3.5 I should call: Assembly.Load(string, Evidence); Whereas in .NET 4 I want to call Assembly.Load(string); Calling Load(string, Evidence) throws a NotSupportedException. Ofcourse this works, but I'd like to know if there's a better method: try { asm = Assembly.Load(someString, someEvidence); } catch(NotSupportedException) { asm = Assembly.Load(someString); }

    Read the article

  • Spring security custom principal bean

    - by wuntee
    I have a web application that is set up to use the default ldap server/authentication manager/authentication provider/user service. I have another DAO that already does majority of the work that those do (besides the authenticating a user) using Spring-LDAP. My problem is that I want the principal to be of my own custom bean class. What is the simplest way to do this? Initially I was thinking to create a custom authentication provider, but since the default one does exactly what I want, there doesnt seem to be a need. I am thinking I just need to override whatever object actually returns the Principal bean. Is this possible, and able to be injected into the security ldap authenticator context?

    Read the article

  • security issue of Linux sudo command?

    - by George2
    Hello everyone, 1. I am using Red Hat Enterprise 5 Linux box. I find if a user is in /etc/sudoers file, then if the user run command with sudo, the user will run this command with root privilege (without knowing root password, the user runs sudo only need to input the user's own password in order to run a command with sudo). Is that correct understanding? 2. If yes, then is it a security hole? Since users other than root could run with root privilege? thanks in advance, George

    Read the article

  • Security flaw in this code approach

    - by Alec Smart
    Hello, Am wondering if there would be any security flaw in this approach. I am writing a piece of code which allows users to upload files and another set to download those files. These files can be anything. User uploads the file (any file including .php files), it is renamed to an md5 hash (extension removed) and stored on server. A corresponding mySQL entry is made. The user trying to download the file, uses say download.php to download the file where the md5 file is sent (with the original name). Is there someway in which anyone can exploit the above scenario?

    Read the article

  • Spring security accessing principal

    - by wuntee
    When using spring security, specifically with @notation; what is the proper way to access the principal in a Controller? Lets say the following is my controller, but I would like to access the principal in the secure() method somewhere... @Controller public class LoginController { @RequestMapping(value = "/login", method = RequestMethod.GET) public String login(ModelMap map, @RequestParam(value="fail" , required=false) String fail){ map.addAttribute("title", "Login: AD Credentials"); if(fail != null){ map.addAttribute("error", "Invalid credentials"); } return("login"); } @RequestMapping("/secure") @PreAuthorize("isAuthenticated()") public String secure(ModelMap map, String principal){ System.out.println(principal); return("secure"); } }

    Read the article

  • Image Uploading - security issues

    - by TenaciousImpy
    Hi, I'm developing an ASP.NET Web app and would like the user to be able to either upload an image from their local system, or pass in a URL to an image. The image can either be a JPG or PNG. What security issues should I be concerned about doing this? I've seen various ways of embedding code within JPG files. Are there any methods in C# (or external libraries) which can confirm that a file is a JPG/PNG, otherwise throw an error? At the very least, I'm making the directory which holds uploaded images non-browsable and putting a max size limit of 1mb, but I'd like to implement further checks. Thanks for any advice.

    Read the article

  • Security problem

    - by Mehmet Kaleli
    Hi All. I have a security problem in my website. A script code was added into my all pages like "<script src="Ip address/viewpic.asp"></script>" . It is between </head> and <body> tag. Now Google says "this site may be hartful for your pc!" about my site. How can i secure my website? I use C# and Visual Studio 2008.

    Read the article

  • Methods for ensuring security between users in multi-user applications

    - by Emilio
    I'm writing a multiuser application (.NET - C#) in which each user's data is separated from the others and there is no data that's common between users. It's critical to ensure that no user has access to another user's data. What are some approaches for implementing security at the database level and/or in the application architecture to to accomplish this? For example (and this is totally made up - I'm not suggesting it's a good or bad approach) including a userID column in all data tables might be an approach. I'm developing the app in C# (asp.net) and SQL Server 2008. I'm looking for options that are are either native in the tools I'm using or general patterns.

    Read the article

  • Help with Role Based Security.

    - by Bill K
    Hello, I'm trying to understand role based security and I have the following method: [PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] static void Test() { //administratos only can call this code } What I wanna do is that only users that are members of the Windows Administrators group can call this code, however, if I do the following, it works: GenericIdentity genericIdentity = new GenericIdentity("test", "test"); GenericPrincipal genericPrincipal = new GenericPrincipal(genericIdentity, new string[] { "Administrators" }); AppDomain.CurrentDomain.SetThreadPrincipal(genericPrincipal); Test(); So, how can I make it work only if the user is in the Administrators windows group? thanks!

    Read the article

  • Quick MySQLi security question

    - by Benjamin Falk
    I have a quick MySQLi security related question... For example, take a look at this code (gets in put from the user, checks it against the database to see if the username/password combination exist): $input['user'] = htmlentities($_POST['username'], ENT_QUOTES); $input['pass'] = htmlentities($_POST['password'], ENT_QUOTES); // query db if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?")) { $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt'])); $stmt->execute(); $stmt->store_result(); // check if there is a match in the database for the user/password combination if ($stmt->num_rows > 0) {} } In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?

    Read the article

  • Reading data from a socket, considerations for robustness and security

    - by w.brian
    I am writing a socket server that will implement small portions of the HTTP and the WebSocket protocol, and I'm wondering what I need to take into consideration in order to make it robust/secure. This is my first time writing a socket-based application so please excuse me if any of my questions are particularly naive. Here goes: Is it wrong to assume that you've received an entire HTTP request (WebSocket request, etc) if you've read all data available from the socket? Likewise, is it wrong to assume you've only received one request? Is TCP responsible for making sure I'm getting the "message" all at once as sent by the client? Or do I have to manually detect the beginning and end of each "message" for whatever protocol I'm implementing? Regarding security: What, in general, should I be aware of? Are there any common pitfalls when implementing something like this? As always, any feedback is greatly appreciated.

    Read the article

  • Security issues with rights to Network Service account

    - by Shrewd Demon
    hi, i have a page where the user can upload files on the server. Due to some problem related to account rights it was not working. Then i gave full rights to the Network Service account. I just wanted to know if there are any security breaching related issues with this solution, because i will be publishing the same to the client. If there are problems with this then kindly help with proper solution. any help will be appreciated... thank you.

    Read the article

  • Testing ASP.NET security in Firefox

    - by blahblah
    I'm not sure whether this question belongs on StackOverflow or SuperUser, but here goes nothing... I'm trying to test out some basic security problems on my personal ASP.NET website to see exactly how the custom validators, etc. work when tampering with the data. I've been looking at the Firefox extension TamperData which seems to do the trick, but it doesn't feel very professional at all. The issues I'm having with TamperData is that the textbox for the POST data is way too small to hold the ASP.NET view-state, so I have to copy that data into Emacs and then back again to be productive at all. I also don't like that there doesn't seem to be an option to only tamper with data which is from/to localhost. Any ideas on better extensions for the task or better methods to test it?

    Read the article

  • What would you like to see in an beginner's ASP.NET security book

    - by blowdart
    This is a shameless information gathering exercise for my own book. One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Form Requests and so on. So, if you can think back to being one, as a beginning web developer (be it ASP.NET or not) what do you feel would be useful information about web security and how to develop securely? I will already be covering the OWASP Top Ten (And yes this means stackoverflow will be in the acknowledgements list if someone comes up with something I haven't thought of yet!) It's all done now, and published, thank you all for your responses

    Read the article

  • Amazon S3 security credentials per bucket

    - by slythic
    Hi all, I was wondering if it was possible to generate security credentials per individual Amazon S3 bucket. I am working with a developer and would like to grant him access only to the bucket we are working with. It's not a trust issue, it's more a concern that he'll delete the wrong bucket or its contents. For example: If we were working on an application that used a bucket called test-application I could generate the credentials for just that one bucket. These credentials would not allow access to other buckets in my account. Is this possible? Thanks, Tony

    Read the article

  • Security in API authentication

    - by Carlos
    We are in the process of revamping our server side API, and we need to manage security. Our current model requires that a credentials object (containing user, password, and pin) be included in each method invocation. Our development team, however, has decided that we should have session objects instead (which is fine by me), but the new credentials are just a GUID. This is very different from what I've seen in other APIs in our industry, so I'm a bit concerned about how secure the new model will be. I asked them if they had analyzed both alternatives, and they said they haven't. Does anyone know if there're any clear advantages, disadvantages, risks, etc. of using a set of credentials versus just one element (complex as it may be)? PS: the communication channel would be secure in either case, and it's separate from this particular topic

    Read the article

  • .NET WebService Security who can see and use.

    - by user295734
    Trying to firgure out how to test the security of a WebService. Is there some way to search a site for webservices? I have 2 applications one has a webservice and the other a reference to that service. I let visual studio build the reference in the App_WebReferences folder. The webservice works, but i started wondering, can anyone access this service from any website? If so, how can i test this? How do you search a site for webservices? Could I use jQuery/JSON code from a simple site to access a webservice? I guess if it is not secure, how do you secure a webservice?

    Read the article

  • google account security ?

    - by Chez
    I want to write a web-app which would ask the user to pass their google account (user and pwd) so that it can access their google data. I understand google supports alternative ways to do this, such as AuthSub and OathAuthSub. Also google discourages apparently clientLogin (which would be my approach) for web apps. My question is: if I were asking the user to register to my app by passing me a 'read only' google account ? so effectively I don't ask them to pass me their account but to create another account which is readonly. does anybody see anything wrong with this ? am I missing something ? Since their google account continues to be the admin they don't risk (in terms of security) anything. Any help would be welcome ? Thanks

    Read the article

  • Spring security and Struts 2

    - by Thanksforfish
    I have a struts2 action with an @Secured({"ROLE_ADMIN"}) to secure the execute method. In the execute method i assign a message to a member variable of the action, then return SUCCESS and end up on the jsp page. On the page I retrieve the actions member variable with <sroperty. private String greeting; public String execute() throws Exception { this.greeting="Hello"; return SUCCESS; } // getters and setters for greeting ... <s:property value="greeting" /> The problem is when the secured annotation is present the jsp shows nothing for the member variable but when @Secured is removed the whole thing behaves properly and shows the message that was set into the member variable. It appears that the actual security is working ok but when enabled via the annotation the member variable (or maybe the instance of the action) is not making its way onto the value stack. I cant see any error messages.

    Read the article

  • ASP.Net Roles: Page-Level Security Question

    - by jlrolin
    We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to. We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access. A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.

    Read the article

  • Apache security for multi-user development web server.

    - by mrmartinblue
    I've been searching and reading through documents all morning and understand that I need to use some combination of chown and probably 'jailing' to securely give programmers access to directories on my centos webserver. Here's the situation: I have an apache web server that has any number of virtual sites located in /var/www/site1 /var/www/site2 etc.. I have different developers that need full access both ssh and vsFTP to only the site they are working on. What is the best way to create and maintain security in this scenario. My thought would be to create a new user for each coder, jail that user to the website directory they are allowed to work in, add their user to a group and set the webroot's owner to that group. Any thoughts? Good, bad, ugly? Thanks!

    Read the article

< Previous Page | 25 26 27 28 29 30 31 32 33 34 35 36  | Next Page >