Search Results

Search found 14771 results on 591 pages for 'security policy'.

Page 30/591 | < Previous Page | 26 27 28 29 30 31 32 33 34 35 36 37  | Next Page >

  • Router 2wire, Slackware desktop in DMZ mode, iptables policy aginst ping, but still pingable

    - by skriatok
    I'm in DMZ mode, so I'm firewalling myself, stealthy all ok, but I get faulty test results from Shields Up that there are pings. Yesterday I couldn't make a connection to game servers work, because ping block was enabled (on the router). I disabled it, but this persists even due to my firewall. What is the connection between me and my router in DMZ mode (for my machine, there is bunch of others too behind router firewall)? When it allows router affecting if I'm pingable or not and if router has setting not blocking ping, rules in my iptables for this scenario do not work. Please ignore commented rules, I do uncomment them as I want. These two should do the job right? iptables -A INPUT -p icmp --icmp-type echo-request -j DROP echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all Here are my iptables: #!/bin/sh # Begin /bin/firewall-start # Insert connection-tracking modules (not needed if built into the kernel). #modprobe ip_tables #modprobe iptable_filter #modprobe ip_conntrack #modprobe ip_conntrack_ftp #modprobe ipt_state #modprobe ipt_LOG # allow local-only connections iptables -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones (eg active-ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Gamespy&NWN #iptables -A INPUT -p tcp -m tcp -m multiport --ports 5120:5129 -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 6667 --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 28910 --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 29900 --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 29901 --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 29920 --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -A INPUT -p udp -m udp -m multiport --ports 5120:5129 -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 6500 -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 27900 -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 27901 -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 29910 -j ACCEPT # Log everything else: What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT" # set a sane policy: everything not accepted > /dev/null iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification - too many routers are still # ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn #ping death echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # If you are frequently accessing ftp-servers or enjoy chatting you might # notice certain delays because some implementations of these daemons have # the feature of querying an identd on your box for your username for # logging. Although there's really no harm in this, having an identd # running is not recommended because some implementations are known to be # vulnerable. # To avoid these delays you could reject the requests with a 'tcp-reset': #iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset #iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT # To log and drop invalid packets, mostly harmless packets that came in # after netfilter's timeout, sometimes scans: #iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID" #iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP # End /bin/firewall-start Active ruleset: bash-4.1# iptables -L -n -v Chain INPUT (policy DROP 38 packets, 2228 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 844 542K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 38 2228 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FIREWALL:INPUT' 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 38 2228 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FIREWALL:INPUT' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1158 111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Active ruleset: (after editing iptables into below sugested form) bash-4.1# iptables -L -n -v Chain INPUT (policy DROP 2567 packets, 172K bytes) pkts bytes target prot opt in out source destination 49 4157 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 412K 441M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2567 172K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FIREWALL:INPUT' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 312K packets, 25M bytes) pkts bytes target prot opt in out source destination ping and syslog simultaneous screenshots from phone (pinger) and from laptop (being pinged) http://dl.dropbox.com/u/4160051/slckwr/pingfrom%20mobile.jpg http://dl.dropbox.com/u/4160051/slckwr/tailsyslog.jpg

    Read the article

  • Apply Group Policy to Remote Desktop Services users but not when they log on to their local system

    - by Kevin Murray
    Running Windows Server 2008 Service Pack 2 with Remote Desktop Services role. I want to hide the servers drives using a GPO, but not the users local drives when they are logged on to their local system. Using a GPO, I went to "User Configuration - Policies - Administrative Template - Windows Components - Windows Explorer" and enabled "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer" and in both used "Restrict all drives". Then under "Security Filtering" for the GPO, I restricted it to the system running Remote Desktop Services and the specific users who will be using RDS. I then applied the GPO to our domain and it worked a little too well. Not only was I successful in getting the GPO to work for RDS users, but it also affected those same users at their local systems as well. I've tried everything I can think of, but can't figure out how to apply this just to the RDS but not at their local system. What am I missing?

    Read the article

  • Security exception in Twitterizer

    - by Raghu
    Hi, We are using Twitterizer for Twitter integration to get the Tweets details. When making call to the method OAuthUtility.GetRequestToken, following exception is coming. System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. When the application is hosted on IIS 5, the application works fine and the above error is coming only when the application is hosted in IIS 7 on Windows 2008 R2. and the method OAuthUtility.GetRequestToken throws above exception. It seems the issue is something with code access security. Please suggest what kind of permissions should be given to fix the security exception. The application has the Full Trust and I have even tried by registering the Twitterizer DLL in GAC and still the same error is coming. I am not sure what makes the difference between IIS 5 and IIS 7 with regards to code access security to cause that exception. Following is the stack track of the exception. [SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.] System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0 System.Security.CodeAccessPermission.Demand() +54 Twitterizer.OAuthUtility.ExecuteRequest(String baseUrl, Dictionary`2 parameters, HTTPVerb verb, String consumerKey, String consumerSecret, String token, String tokenSecret, WebProxy proxy) +224 Twitterizer.OAuthUtility.GetRequestToken(String consumerKey, String consumerSecret, String callbackAddress, WebProxy proxy) +238 Twitter._Default.btnSubmit_Click(Object sender, EventArgs e) +94 System.Web.UI.WebControls.Button.OnClick(EventArgs e) +115 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +140 System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11045655 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11045194 System.Web.UI.Page.ProcessRequest() +91 System.Web.UI.Page.ProcessRequest(HttpContext context) +240 ASP.authorization_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\twitter\c2fd5853\dcb96ae9\App_Web_y_ada-ix.0.cs:0 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +599 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171 Any help would be greatly appreciated. Thanks in advance. Regards, Raghu

    Read the article

  • Oracle is Proud Sponsor of Gartner Security and Risk Management Summit 2011

    - by Troy Kitch
    Oracle will have a very strong presence at this year’s Gartner Security and Risk Management Summit 2011 in Washington D.C., June 20-23. If you plan on being there, please be sure to stop by Oracle booth D and say “hi” to the Security Solution Experts. Please join us for the: Oracle Solution Provider Session Oracle Solution Showcase Receptions Oracle Face to Face Meetings We have some powerful database security demonstrations that we’re showing off. If you haven’t had an opportunity to check out the new Oracle Database Firewall, now’s your chance to learn why it’s the first line of defense in a database security defense in depth strategy. Additionally, Mark Morrison, director of intelligence community information assurance, and Pat Sack, VP of the Oracle national security group, will discuss U.S. government cross-domain secure information sharing. This case study session will explain how Oracle helped the U.S. government consolidate its mission-critical intelligence database infrastructure securely, and the underlying Oracle Database security solutions that can benefit any organization looking to increase business agility and drive down IT costs through database consolidation. Potomac Ballroom B Find out more about the event here. Twitter #GartnerSecurity to join the conversation.

    Read the article

  • New Cloud Security Book: Securing the Cloud by Vic Winkler

    - by user12608550
    It's rare that I read a technical book straight through; I usually read key chapters and save the rest for later reference. But Winkler's book, written by an accomplished and highly experienced security professional, was worth a complete read, cover to cover. Of the recently published cloud security books, such as... Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, by Tim Mather, Subra Kumaraswamy, and Shahed Latif; O'Reilly Media Inc, 2009; Cloud Computing: Implementation, Management, and Security, by John Rittenhouse and James Ransome; CRC Press 2010; Cloud Security: A Comprehensive Guide to Secure Cloud Computing, by Ronald Krutz and Russell Vines; Wiley Publishing Inc, 2010 ...Securing the Cloud is the most useful and informative about all aspects of cloud security. Clearly, through his experience, the author has thought through many practical issues of securing large, virtualized IT installations. His Chapter 6 on Best Practices and Chapter 9 with its valuable checklists are worth the price of the book. If you are among the many new cloud computing professionals, Securing the Cloud is an essential reference for your work.

    Read the article

  • Security Alert For CVE-2010-4476 Released

    - by eric.maurice
    Hello, this is Eric Maurice again. Oracle just released a Security Alert with a fix for the vulnerability CVE-2010-4476, which affects Oracle Java SE and Oracle Java For Business. This vulnerability is present in Java running on servers as well as standalone Java desktop applications. Its successful exploitation by a malicious attacker can result in a complete denial of service for the affected servers. While only recently publicly disclosed, a number of Internet sites have since then reproduced details about this vulnerability, including exploit codes, which may result in allowing a malicious attacker to create a denial of service condition against the targeted system. Oracle therefore strongly recommends that affected organizations apply this fix as soon as possible. Please note that a fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011), which will be released on February 15th 2011. Note that the impact of this vulnerability on desktops is minimal: the affected applications or applets running in Internet browsers for example, might stop responding and may need to be restarted; however the desktop itself will not be compromised (i.e. no compromise at the desktop OS level). Oracle therefore recommends that consumers use the Java auto-update mechanism to get this fix. This will prompt them to install the latest version of the Java Runtime Environment 6 update 24 or higher (JRE), which includes the fix for this vulnerability. JRE 6 update 24 will also be distributed with the Java SE and Java for Business Critical Patch Update - February 2011. For More Information: The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html The Advisory for Security Alert CVE-2010-4476 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml

    Read the article

  • Configuring WS-Security with PeopleSoft Web Services

    - by Dave Bain
    I was speaking with a customer a few days ago about PeopleSoft Web Services.  The customer created a web service but when they went to deploy it, they had so many problems configuring ws-security, they pulled the service.  They spent several days trying to get it working but never got it working so they've put it on hold until they have time to work through the issues. Having gone through the process of configuring ws-security myself, I understand the complexity.  There is no magic 'easy' button to push.  If you are not familiar with all the moving parts like policies, certificates, public and private keys, credential stores, and so on, it can be a daunting task.  PeopleBooks documentation is good but does not offer a step-by-step example to follow.  Fear not, for those that want more help, there is a place to go. PeopleSoft released a Mobile Inventory Management application over a year ago.  It is a mobile app built with Oracle Fusion Application Development Framework (ADF) that accesses PeopleSoft content through standard web services.  Part of the installation of this app is configuring ws-security for the web services used in the application.  Appendix A of the PeopleSoft FSCM91 Mobile Inventory Management Installation Guide is called Configuring WS-Security for Mobile Inventory Management.  It is a step-by-step guide to configure ws-security between a server running Oracle Web Server Management (OWSM) and PeopleSoft Integration Broker.  Your environment might be different, but the steps will be similar, and on the PeopleSoft side, Integration Broker will remain a constant. You can find the installation guide on Oracle Suport.  Sign in to https://support.us.oracle.com and search for document 1290972.1.  Read through Appendix A for more details about how to set up ws-security with PeopleSoft web services.

    Read the article

  • Oracle at Information Security and Risk Management Conference (ISACA Conferences)

    - by Tanu Sood
    The North America Information Security and Risk Management (ISRM) Conference hosted by ISACA will be held this year from November 14 - 16 in Las Vegas, Nevada and Oracle is a platinum sponsor. The ISRM / IT GRC event is not only designed to meet the exact needs of information security, governance, compliance and risk management professionals like you, but also gives you the tools you need to solve the issues you currently face. The event builds on and includes the key elements of information security, governance, compliance and risk management practices, and offers a fresh perspective on current and future trends. As a Platinum Sponsor Oracle will not only have an opportunity to demonstrate but talk through our strategic roadmap and support to ensure all organizations understand our key role within the industry to ensure corporate data and information remains safe. Join us at the Lunch and Learn to learn more about the latest advances in Oracle Identity Management. Lunch and Learn Session: Trends in Identity Management Speaker: Mike Neuenschwander, Senior Product Development Director, Oracle Identity Management As enterprises embrace mobile and social applications, security and audit have moved into the foreground. The way we work and connect with our customers is changing dramatically and this means, re-thinking how we secure the interaction and enable the experience. Work is an activity not a place - mobile access enables employees to work from any device anywhere and anytime. Organizations are utilizing "flash teams" - instead of a dedicated group to solve problems, organizations utilize more cross-functional teams. Work is now social - email collaboration will be replaced by dynamic social media style interaction. In this session, we will examine these three secular trends and discuss how organizations can secure the work experience and adapt audit controls to address the "new work order". We also recommend you bookmark the following session: T1 Session 301: Gone in 60 Seconds: Mitigating Database Security Risk Friday, November 16, 8:30 am – 9:30 am And, do be sure to stop by our booth, # 100 & #102, to not only network with our Product Development Team, but also get an onsite demonstration of Oracle Security Solutions. See you there? ISRM /  IT GRC November 14 – 16, 2012 Mirage Casino-Hotel 3400 Las Vegas Boulevard South Las Vegas, NV, 89109

    Read the article

  • Security Newsletter – September Edition is Out Now

    - by Tanu Sood
      The September issue of Security Inside Out Newsletter is out now. This month’s edition offers a preview of Identity Management and Security events and activities scheduled for Oracle OpenWorld. Oracle OpenWorld (OOW) 2012 will be held in San Francisco from September 30-October 4. Identity Management will have a significant presence at Oracle OpenWorld this year, complete with sessions featuring technology experts, customer panels, implementation specialists, product demonstrations and more. In addition, latest technologies will be on display at OOW demogrounds. Hands-on-Labs sessions will allow attendees to do a technology deep dive and train with technology experts. Executive Edge @ OpenWorld also features the very successful Oracle Chief Security Officer (CSO) Summit. This year’s summit promises to be a great educational and networking forum complete with a contextual agenda and attendance from well known security executives from organizations around the globe. This month’s edition also does a deep dive on the recently announced Oracle Privileged Account Manager (OPAM). Learn more about the product’s key capabilities, business issues the solution addresses and information on key resources. OPAM is part of Oracle’s complete and integrated Oracle Identity Governance solution set. And if you haven’t done so yet, we recommend you subscribe to the Security Newsletter to keep up to date on Security news, events and resources. As always, we look forward to receiving your feedback on the newsletter and what you’d like us to cover in the upcoming editions.

    Read the article

  • Exception Security Context token in WCF

    - by Alhambra Eidos
    Hi all I'm using Service WCF, and I get the following error: "The security context token is expired or is not valid. The message was not processed." Client config <endpoint address="http://probiz:49610/GestionOrganizacion.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IOrganizacion" contract="CarWin.ServiceContracts.Interfaces.IOrganizacion" behaviorConfiguration="NewBehavior" name="PRO_WSHttpBinding_IOrganizacion"> <identity> <dns value="localhost" /> </identity> <binding name="WSHttpBinding_IOrganizacion" closeTimeout="00:30:00" openTimeout="00:30:00" receiveTimeout="00:30:00" sendTimeout="00:30:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> more config <endpointBehaviors> <behavior name="NewBehavior"> <dataContractSerializer maxItemsInObjectGraph="2147483647" /> </behavior> </endpointBehaviors> Thanks in advanced, greetings

    Read the article

  • Application passwords and SQLite security

    - by Bryan
    I have been searching on google for information regarding application passwords and SQLite security for some time, and nothing that I have found has really answered my questions. Here is what I am trying to figure out: 1) My application is going to have an optional password activity that will be called when the application is first opened. My questions for this are a) If I store the password via android preference or SQLite database, how can I ensure security and privacy for the password, and b) how should password recovery be handled? Regarding b) from above, I have thought about requiring an email address when the password feature is enabled, and also a password hint question for use when requesting password recovery. Upon successfully answering the hint question, the password is then emailed to the email address that was submitted. I am not completely confident in the security and privacy of the email method, especially if the email is sent when the user is connected to an open, public wireless network. 2) My application will be using an SQLite database, which will be stored on the SD card if the user has one. Regardless of whether it is stored on the phone or the SD card, what options do I have for data encryption, and how does that affect the application performance? Thanks in advance for time taken to answer these questions. I think that there may be other developers struggling with the same concerns.

    Read the article

  • Browser security when calling HTTP assets via a SWF on a HTTPS site

    - by Mark Ursino
    We have a site that runs on HTTPS and needs to pull in various JS assets to run a video player on the page. We get a browser security warning on this page because the JS files we are externally calling are being accessed via HTTP, not HTTPS. E.g. // HTTP reference on a HTTPS site <script src="http://the-cdn.tld/player.js"></script> Simply accessing this one JS assets via HTTP and not HTTPS will cause the browser security warning which we need to get rid of. The provider of the JS file does not support an HTTPS equivalent (like Google Analytics does). We would ideally love to just do the following, but the provider does not have this: // HTTPS reference on a HTTPS site <script src="https://the-cdn.tld/player.js"></script> One option we had was to just download a copy of the JS file and serve it on the HTTPS site, however we have concerns with this as it is not recommended by the provider and will not include updates from them. Assuming we cannot do that, we were thinking a possible other option would be to use a SWF file as a proxy. We were thinking that we could have one of our flash guys create a SWF that loads in the HTTP-served JS file to the page. We were wondering that if this SWF makes the request, would that prevent the browser from showing the security warning or not? I assumed that we would still see the warning since the SWF is still making the request through the browser, but I wanted to see what the hive mind thinks.

    Read the article

  • filterSecurityInterceptor and metadatasource implementation spring-security

    - by Mike
    Hi! I created a class that implements the FilterInvocationSecurityMetadataSource interface. I implemented it like this: public List<ConfigAttribute> getAttributes(Object object) { FilterInvocation fi = (FilterInvocation) object; Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); Long companyId = ((ExtenededUser) principal).getCompany().getId(); String url = fi.getRequestUrl(); // String httpMethod = fi.getRequest().getMethod(); List<ConfigAttribute> attributes = new ArrayList<ConfigAttribute>(); FilterSecurityService service = (FilterSecurityService) SpringBeanFinder.findBean("filterSecurityService"); Collection<Role> roles = service.getRoles(companyId); for (Role role : roles) { for (View view : role.getViews()) { if (view.getUrl().equalsIgnoreCase(url)) attributes.add(new SecurityConfig(role.getName() + "_" + role.getCompany().getName())); } } return attributes; } when I debug my application I see it reaches this class, it only reaches getAllConfigAttributes method, that is empty as I said, and return null. after that it prints this warning: Could not validate configuration attributes as the SecurityMetadataSource did not return any attributes from getAllConfigAttributes(). My aplicationContext- security is like this: <beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <filter-chain-map path-type="ant"> <filter-chain filters="sif,filterSecurityInterceptor" pattern="/**" /> </filter-chain-map> </beans:bean> <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="accessDecisionManager" /> <beans:property name="securityMetadataSource" ref="filterSecurityMetadataSource" /> </beans:bean> <beans:bean id="filterSecurityMetadataSource" class="com.mycompany.filter.FilterSecurityMetadataSource"> </beans:bean> what could be the problem?

    Read the article

  • WS-Security using the ASMX file in ASP.NET 3.5

    - by Adam
    Basically I need to setup my ASMX file so that when I pull it up in a browser to display the WebMethod specification the Soap Header conforms to this format: <soap:Header> <wsse:Security> <wsse:UsernameToken wsu:Id='SecurityToken-securityToken'> <wsse:Username>Username</wsse:Username> <wsse:Password>Password</wsse:Password> <wsu:Created>Timestamp</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> Back-story: I'm integrating with a client application that is already built (and owned by another company). Basically this client application already has their soap messages all set up from its past integrations with other companies. So we've opted to just build a web service using an ASMX file that matches the WSDL that they're already setup to consume. Is it possible to get WS-Security working on an ASMX file or is ASMX too simplistic and I have to upgrade to WFC (which I really don't want to do)?

    Read the article

  • implementing Ws-security within WCF proxy

    - by harrisonmeister
    Hi, I have imported an axis based wsdl into a VS 2008 project as a service reference. I need to be able to pass security details such as username/password and nonce values to call the axis based service. I have looked into doing it for wse, which i understand the world hates (no issues there) I have very little experience of WCF, but have worked how to physically call the endpoint now, thanks to SO, but have no idea how to set up the SoapHeaders as the schema below shows: <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ws="http://schemas.xmlsoap.org/ws/2002/04/secext"> <S:Header> <ws:Security> <ws:UsernameToken> <ws:Username>aarons</ws:Username> <ws:Password>snoraa</ws:Password> </ws:UsernameToken> </wsse:Security> ••• </S:Header> ••• </S:Envelope> Any help much appreciated Thanks, Mark

    Read the article

  • web.config + asp.net MVC + location > system.web > authorization + Integrated Security

    - by vdh_ant
    Hi guys I have an ASP.Net MVC app using Integrated Security that I need to be able grant open access to a specific route. The route in question is '~/Agreements/Upload' and the config I have setup looks like this: <configuration> ... <location path="~/Agreements/Upload"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> ... </configuration> I have tried a few things and nothing has worked thus far. In IIS under Directory Security Authentication Methods I only have "Integrated Windows Authentication" selected. Now this could be part of my problem (as even though IIS allows the above IIS doesn't). But if that's the case how do I configure it so that Integrated Security works but allows people who aren't authenticated to access the given route. Cheers Anthony

    Read the article

  • Spring Security ACL: NotFoundException from JDBCMutableAclService.createAcl

    - by user340202
    Hello, I've been working on this task for too long to abandon the idea of using Spring Security to achieve it, but I wish that the community will provide with some support that will help reduce the regret that I have for choosing Spring Security. Enough ranting and now let's get to the point. I'm trying to create an ACL by using JDBCMutableAclService.createAcl as follows: [code] public void addPermission(IWFArtifact securedObject, Sid recipient, Permission permission, Class clazz) { ObjectIdentity oid = new ObjectIdentityImpl(clazz.getCanonicalName(), securedObject.getId()); this.addPermission(oid, recipient, permission); } @Override @Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED, readOnly = false) public void addPermission(ObjectIdentity oid, Sid recipient, Permission permission) { SpringSecurityUtils.assureThreadLocalAuthSet(); MutableAcl acl; try { acl = this.mutableAclService.createAcl(oid); } catch (AlreadyExistsException e) { acl = (MutableAcl) this.mutableAclService.readAclById(oid); } // try { // acl = (MutableAcl) this.mutableAclService.readAclById(oid); // } catch (NotFoundException nfe) { // acl = this.mutableAclService.createAcl(oid); // } acl.insertAce(acl.getEntries().length, permission, recipient, true); this.mutableAclService.updateAcl(acl); } [/code] The call throws a NotFoundException from the line: [code] // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc) Acl acl = readAclById(objectIdentity); [/code] I believe this is caused by something related to Transactional, and that's why I have tested with many TransactionDefinition attributes. I have also doubted the annotation and tried with declarative transaction definition, but still with no luck. One important point is that I have used the statement used to insert the oid in the database earlier in the method directly on the database and it worked, and also threw a unique constraint exception at me when it tried to insert it in the method. I'm using Spring Security 2.0.8 and IceFaces 1.8 (which doesn't support spring 3.0 but definetely supprorts 2.0.x, specially when I keep caling SpringSecurityUtils.assureThreadLocalAuthSet()). My AppServer is Tomcat 6.0, and my DB Server is MySQL 6.0 I wish to get back a reply soon because I need to get this task off my way

    Read the article

  • problem in handling menu - submenu based on spring security

    - by Nirmal
    Hi All... I have configured spring security core plugin using requestmap table inside the database.. Now inside requestmap table I have all the possible urls and it's equivalent roles who can access that url... Now I want to generate menus and submenus based on the urls stored in requestmap table... So my requirement is to check the urls of menu & submenus against the logged in users privileges... And if logged in user has any one privilege then I need to display that main menu and the available submenus.... For e.g. I have a menu in my project called user which has a following submenus : **Users (main menu)** Manage Users (sub menu) Import Users (sub menu) Now inside my header.gsp I have successfully achieved the above requirement using if else condition, like : if ( privs.contains("/users/manageUsers") || privs.contains("/users/importUsers")) here privs are the list of urls from requestmap table for logged in user. But I want to achieve these using spring security tag lib, so for comparing urls I have find following tag from spring security core documentation : <sec:access url="/users/manageUsers"> But i am bit confuse that how I can replace or condition using tag library.. Is there any tag available which checks from multiple urls and evaluate it to true or false ? Of course I can do using sec:access tag with some flag logic, but is there any tags available which can fulfill my requirement directly ? Thanks in advance...

    Read the article

  • Web Applications Development: Security practices for Application design

    - by Shyam
    Hi, As I am creating more web applications that are targeted for multiple users, I figured out that I have to start thinking about user management and security. At a glance and in my ideal world, all users belong to a group. Permissions and access is thus defined per group (and inherited by the users of that group). Logically, I have my group of administrators, which are identified with a level "7" (integer) clearance. A group of webusers have for example level "1". This in generally all works great for me, but I need some kind of list that I have to keep in mind how I secure my system, and some general practices. I am not looking for a specific environment; I want to learn the why's and how's. An example is privilege escalation. If someone would be able to "push" themselves inside a group with higher privileges, for example the Administration, how can I prevent this, or what measures should I take to have some sort of precaution? I don't like in that case to walk into a caveat. My question is basically: where can I find a good resource, list, policy, book that explains the security of web applications, the why's, the how's and readable if you don't have any experience in the realm of advanced security? I prefer a free resource, as I believe I couldn't be the first one who thought about this. Thank you for your answers, comments and feedback.

    Read the article

  • Transport Security with Certificate Authentication

    - by Brian T
    I'm getting the following error when I access my webservice localhost/MyService/MyService.svc The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'Ssl, SslNegotiateCert'. I've following the web.config examples as specified in http://msdn.microsoft.com/en-us/library/ms731074.aspx Here is my wcf server web.config: <?xml version="1.0" encoding="UTF-8"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <appSettings /> <system.web> <identity impersonate="false" /> <roleManager enabled="true" /> <authentication mode="Windows" /> <customErrors mode="Off" /> <webServices> <protocols> <add name="HttpGet" /> <add name="HttpPost" /> </protocols> </webServices> </system.web> <system.webServer> <directoryBrowse enabled="true" /> <validation validateIntegratedModeConfiguration="false" /> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" users="*" roles="" /> </authorization> </security> </system.webServer> <system.serviceModel> <services> <service name="AspNetSqlProviderService" behaviorConfiguration="MyServiceBehavior"> <endpoint binding="wsHttpBinding" contract="Interface1" bindingConfiguration="CertificateWithTransportWSHttpBinding" /> <endpoint binding="wsHttpBinding" contract="Interface2" bindingConfiguration="CertificateWithTransportWSHttpBinding" /> <endpoint address="mex" binding="wsHttpBinding" bindingConfiguration="CertificateWithTransportWSHttpBinding" name="Metadata_Exchange" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="MyServiceBehavior"> <serviceDebug includeExceptionDetailInFaults="True" /> <serviceMetadata /> <serviceCredentials> <clientCertificate> <authentication trustedStoreLocation="LocalMachine" revocationMode="Online"/> </clientCertificate> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <wsHttpBinding> <binding name="CertificateWithTransportWSHttpBinding"> <security mode="Transport"> <transport clientCredentialType="Certificate" /> </security> </binding> </wsHttpBinding> </bindings> </system.serviceModel> </configuration> I've configured IIS as follows: https binding added using self signed certificate Under SSL settings, require SSL and accept client certificates is checked The self signed certificate has been added to the Local Computer Trusted Root CA. I can browse and execute the .asmx service definition, but the .svc gives me the error described above.

    Read the article

  • Auszeichnung für Oracle beim Channel Marketing Award 2010: IT-Security Kampagne "Keine Aufregung" belegt 2. Platz

    - by A&C Redaktion
    Am 18. November wurde in Augsburg der Channel Marketing Award 2010 verliehen. Gesucht wurden die besten Kampagnen der IT-Branche, mit denen wirtschaftlich und kreativ herausragende Marketing-Aktivitäten rund um das Partner Business umgesetzt wurden. In der Kategorie With/Through Partner hat Oracle mit der IT-Security Kampagne www.keine-aufregung.de hinter Xerox den 2. Platz belegt! Damit verwies „Keine Aufregung", durchgeführt von Bozana Pistorius im Januar 2010, Kampagnen von IBM, Corel und E-Plus auf die Plätze. Bilder der Kampagnen sind hier zu finden. Die Berichterstattung zum CMA Award gibt es online bei IT-Business inklusive Video und Bildergalerie.   V.l.n.r.: Alexander Woelke (Woelke von der Brüggen), Sarah Olbrich (Woelke von der Brüggen), Bozana Pistorius (Oracle), Claudine Petit (Cloudbridge Consulting) und Werner Nieberle (Vogel IT Medien)

    Read the article

  • Why was Oracle Enterprise Taxation Management renamed to Oracle Enterprise Taxation and Policy Management?

    - by Paula Speranza-Hadley
    Ø       Some of you may wonder why we changed the product name from Oracle Enterpraise Taxation Manament (ETM) to Oracle Enterprise and Policy Management(ETPM).   When Oracle added a limited use license for Oracle Policy Automation to the Oracle Enterprise Taxation Management license, the license was re-named to Oracle Enterprise Taxation and Policy Management.  Ø     When referring to versions 2.2 and prior, the proper name is Oracle Enterprise Taxation Management (ETM) Ø     When referring to versions 2.3 and later, the proper name is Oracle Enterprise and Policy Management (ETPM) Ø     To take advantage of the limited use license for Oracle Policy Automation, customers must transition from the ETM license to the ETPM license.  However, they can remain on their ETM license if they are not going to take advantage of Oracle Policy Automation features.  

    Read the article

  • Is an 'if password == XXXXXXX' enough for minimum security?

    - by Morgan Herlocker
    If I create a login for an app that has middle to low security risk (in other words, its not a banking app or anything), is it acceptable for me to verify a password entered by the user by just saying something like: if(enteredPassword == verifiedPassword) SendToRestrictedArea(); else DisplayPasswordUnknownMessage(); It seems to easy to be effective, but I certainly would not mind if that was all that was required. Is a simple check on username/password combo enough? Update: The particular project happens to be a web service, the verification is entirely server side, and it is not open-source. Does the domain change how you would deal with this?

    Read the article

< Previous Page | 26 27 28 29 30 31 32 33 34 35 36 37  | Next Page >