Search Results

Search found 1424 results on 57 pages for 'protect'.

Page 37/57 | < Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44  | Next Page >

  • Prevent Method call without Exception using @PreAuthorize Annotation

    - by Chepech
    Hi all. We are using Spring Security 3. We have a custom implementation of PermissionEvaluator that has this complex algorithm to grant or deny access at method level on the application. To do that we add a @PreAuthorize annotation to the method we want to protect (obviously). Everything is fine on that. However the behavior that we are looking for is that if a hasPermission call is denied, the protected method call only needs to be skipped, instead we are getting a 403 error each time that happens. Any ideas how to prevent that? You can find a different explanation of the problem here; AccessDeniedException handling during methodSecurityInterception

    Read the article

  • Grails/Spring HttpServletRequest synchronization

    - by Jeff Storey
    I was writing a simple Grails app and I have a spot in a gsp where one of my java beans in modified. <g:each in="${myList}" status="i" var="myVar"> // if the user performs some view action, update one of the myVar elements </g:each> This works, but I don't think it's quite threadsafe. myList is an http request variable but in cases of pages that use ajax (or other client side manipulations), it is possible for two threads to be modifying the same request scope variable The Spring AbstractController class provides a setSynchronizeOnSession method. Does grails provide any equivalent functionality? If not, what's the best way to protect this non-threadsafe mutation? thanks, Jeff

    Read the article

  • Monetary Escrow Recommendation

    - by buzzappsoftware
    We are a software development company. We need to establish a monetary escrow for one of our clients. The idea is they pay for the whole fixed bid project up front. However, the money is not released to us until agreed upon milestones have been met. This is very similar to the system Elance uses. From our side, we need to protect ourselves in the event we complete a client's project and by the time that happens they cannot pay for one reason or another. Thank you for your time. All help appreciated.

    Read the article

  • Use Tomcat with Java SecurityManager?

    - by pauline
    I'm writing a web application that is supposed to run on Tomcat on Ubuntu. On Ubuntu, Tomcat is per default configured to run with the Java SecurityManager. Besides my own web application, there will only be some well known third party web applications related to my own, like the BIRT report engine. If one of the web applications fails or gets compromised, it may take down all the others without harm, because they all belong together. What I don't wont to happen is that a compromised web app compromises the system itself, like calling rm -r / Do I need to use the java security manager to achieve this? Or is it only necessary to protect one web app from the other? I'd really like to prevent the effort to create .policy files for all the 3rd party web applications I intend to use.

    Read the article

  • Decoding mysql_real_escape_string() for outputting HTML

    - by Peter
    I'm trying to protect myself from sql injection and am using: mysql_real_escape_string($string); When posting HTML it looks something like this: <span class="\&quot;className\&quot;"> <p class="\&quot;pClass\&quot;" id="\&quot;pId\&quot;"></p> </span> I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like: html_entity_decode(stripslashes($string));

    Read the article

  • WCF Authentication on the Internet - HELP

    - by Eddie
    I have a WCF service using the basicHTTP binding. The service will be targeted to be deployed in production in a DMZ environment on a Windows Server 2008 64 bit running IIS 7.0 and is not in an Active Directory domain. The service will be accessed by a business partner over the Internet with SSL protection. Originally, I had built the service to use x.509 Message authentication with wsHTTPBinding and after a lot of problems I punted and decided to back up and use basicHTTP with UserName authentication. Result: same exact, obscure error message as I received with certificate mode. The service works perfectly inside our domain with the exact same authentication but as soon as I move it to the DMZ I get an error reading: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail". The inner exception message is: "An error occurred when verifying security for the message." The services' web config with binding configuration is as follows: <services> <service behaviorConfiguration="HSSanoviaFacade.Service1Behavior" name="HSSanoviaFacade.HSSanoviaFacade"> <endpoint address="" binding="basicHttpBinding" contract="HSSanoviaFacade.IHSSanoviaFacade" bindingConfiguration="basicHttp"> <identity> <dns value="localhost" /> </identity> </endpoint> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="https://FULLY QUALIFIED HOST NAME CHANGED TO PROTECT/> </baseAddresses> </host> </service> </services> <bindings> <basicHttpBinding> <binding name="basicHttp"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> </security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="HSSanoviaFacade.Service1Behavior"> <serviceMetadata httpsGetEnabled="True" /> <serviceDebug includeExceptionDetailInFaults="True" /> </behavior> </serviceBehaviors> </behaviors> The test client's configuration that gets the error: <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_IHSSanoviaFacade" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://HOST NAME CHANGED TO PROTECT" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IHSSanoviaFacade" contract="MembersService.IHSSanoviaFacade" name="BasicHttpBinding_IHSSanoviaFacade" /> </client> As mentioned earlier, the service works perfectly on the domain and the production IIS box is not on a domain. I have been tweaking and pulling my hair out for 2 weeks now and nothing seems to work. If anyone can help I would appreciate it. Even a recommendation for a work around for authentication. I'd rather not use a custom authentication scheme but use built-in SOAP capabilities. The credentials pass in thru the proxy i.e. proxy.ClientCredentials.UserName.UserName and proxy.ClientCredentials.UserName.Password are valid accounts on both the internal domain in the test environment and as a machine account on the DMZ IIS box.

    Read the article

  • How to redefine symbol names in objects with RVCT?

    - by Batuu
    I currently develop a small OS for an embedded platform based on a ARM Cortex-M3 microcontroller. The OS provides an API for customer application development. The OS kernel and the API is compiled into a static lib by the ARMCC compiler and customer can link his application against it. The lib and the containing object files offer the complete list of symbols used in kernel. To "protect" the kernel and its inner states from extern hooking into obvious variables and functions, I would like to do some easy obfuscation by renaming the symbols randomly. The GNU binutils seems to do this by calling objcopy with the --redefine-sym flag. The GNU binutils cannot read the ARMCC / RVCT objects. Is there any solution to do this kind of obfuscation with RVCT?

    Read the article

  • How to secure authiorization of methods

    - by Kurresmack
    I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

    Read the article

  • How to block non-browser clients from submitting a request?

    - by Thomas Kohl
    I want to block non-browser clients from accessing certain pages / successfully making a request. The website content is served to authenticated users. What happens is that our user gives his credentials to our website to 3rd party - it can be another website or a mobile application - that performs requests on his behalf. Say there is a form that the user fills out and sends a message. Can I protect this form so that the server processing the submission can tell whether the user has submitted it directly from the browser or not? I don't want to use CAPTCHA for usability reasons. Can I do it with some javascript?

    Read the article

  • What XSS/CSRF attacks (if any) to be aware of when allowing video embeds?

    - by fireeyedboy
    I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.). Having no experience with allowing users to embed video: How can I best protect against cross site scripting and/or cross site request forgery attacks specifically for video embedding? What are some of the common pitfalls to watch for? At a minumum I would think to strip all tags except <object> and <embed>. But I have a feeling this will not be enough, will it? If it is of importance, the environment will be: PHP/Zend Framework MySQL Bonuspoints: Is there a common minimum golden rule/code template for video embed codes that are valid across all video sites that I could use to filter the input?

    Read the article

  • How to preserve data integrity while minimizing the transmission size

    - by user1500578
    we have sensors in the wild that send their data to a server every day via TCP/IP, either through 3G or through satellite for the physical layer. The sensors can automatically switch from one to the other depending on their location and the quality of the signal with the local 3G operator. Given that the 3G and satellite communications are very expensive, we want to minimize the amount of data to send. But also, we want to protect ourselves from lost data. What would be the best strategy to ensure with reasonable certainty that the integrity of our data is preserved, while minimizing the amount of redundancy, i.e the amount of data transmitted ? I've read about the zfec codec, but I'm not sure if we need to transmit all the chunks, or if we need to send a hash code along each chunk.

    Read the article

  • Is there a pattern that allows a constructor to be called only from a specific factory and from nowh

    - by willem
    We have a class, say LegacyUserSettingsService. LegacyUserSettingsService implements an interface, IUserSettingsService. You can get an instance of the IUserSettingsService by calling our ApplicationServicesFactory. The factory uses Spring.NET to construct the concrete LegacyUserSettingsService. The trouble is that new developers sometimes do their own thing and construct new instances of the LegacyUserSettingsService directly (instead of going via the factory). Is there a way to protect the constructor of the concrete class so it can only be called from the factory? A well-known pattern perhaps? Note that the concrete class resides in a different assembly (separate from the Factory's assembly, so the internal keyword is not a solution). The factory assembly references the other assembly that contains the concrete class. Any ideas?

    Read the article

  • Software Protection: Shuffeling my application?

    - by Martijn Courteaux
    Hi, I want to continue on my previous question: http://stackoverflow.com/questions/3007168/torrents-can-i-protect-my-software-by-sending-wrong-bytes Developer Art suggested to add a unique key to the application, to identifier the cracker. But JAB said that crackers can search where my unique key is located by checking for binary differences, if the cracker has multiple copies of my software. Then crackers change that key to make them self anonymous. That is true. Now comes the question: If I want to add a unique key, are there tools to shuffle (a kind of obfuscation) the program modules? So, that a binary compare would say that the two files are completely different. So they can't locate the identifier key. I'm pretty sure it is possible (maybe by replacing assembler blocks and make some jumps). I think it would be enough to make 30 to 40 shuffles of my software. Thanks

    Read the article

  • codeigniter csrf protection with ajax

    - by Yarandi
    i have a small problem here which i cannot fix,This post goes through but the response returns a “500 internal server error” who to fix it? JS in view: function load(value) { var utype = value; if(utype>0) { new Ajax.Request('<?php echo base_url().'another/load';?>'+'/'+utype, { method:'post', onSuccess: function(transport){ var response = transport.responseText || "no response text"; if(response!="no response text") document.getElementById('prog_id').innerHTML = response; }, onFailure: function(){ alert('Something went wrong ...') } }); } error in firebug : An Error Was Encountered The action you have requested is not allowed. when i change CSRF protection to False in config file its work for me.but i want protect this request with CSRF enabled. after search in CI forum i found this this link codeigniter-csrf-protection-with-ajax but i cant solve by it.can any one help me?

    Read the article

  • saving appengine mail from spam filters

    - by Fh
    One of my clients uses Trend Micro InterScan Messaging Security to protect their internal mail services. Suddenly InterScan decided to filter out all messages coming from Google App Engine. Unfortunately they haven't been able to whitelist the sender address as each e-mail gets a different one. For example, *3ckihSOVMMHlZHSL.JSMMHlZHSL.JS*@apphosting.bounces.google.com, with everything before the @ being variable. Update I'm including this screenshot of how Interscan sees the incoming e-mail. Notice that all senders are different: If I look into the e-mail headers, the apphosting domain appears inside the Return-Path field: Return-Path: <36kSiSwYIBh0883XL3E7.5EH883XL3E7.5E@apphosting.bounces.google.com> The "From" field looks ok. It says what I set it to say, but the spam filter only looks at the Return-Path. My client sysadmin doesn't want to whitelist the whole apphosting domain, as it wouldn't be only whitelisting my application. How could I bypass this e-mail filters if I can't get an unique sender? Thanks,

    Read the article

  • Software protection

    - by anfono
    I want to protect my software from being used without permission. I will provide it for free to the parties I authorize to use it. Anyone knows a good protection scheme against having it copied and run by unauthorized parties ? So far, I thought about introducing a key validation mechanism: periodically, the user needs to send me (web site query) a code based on which I generate a new code that app validates against. There is an initial code, and so I can track users... Thoughts ? Later edit: I changed the licensing part to avoid unfocused discussion.

    Read the article

  • php Form to Email sanitizing

    - by Jacob
    Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

    Read the article

  • Is it possible for a XSS attack to obtain HttpOnly cookies?

    - by Dan Herbert
    Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS. Aside from the fact that not all browser support this feature properly, how could a hacker obtain a user's cookies if they are HttpOnly? I can't think of any way to make an HttpOnly cookie send itself to another site or be read by script, so it seems like this is a safe security feature, but I'm always amazed at how easily some people can work around many security layers. In the environment I work in, we use IE exclusively so other browsers aren't a concern. I'm looking specifically for other ways that this could become an issue that don't rely on browser specific flaws.

    Read the article

  • How do I use BCP or Sql Server Management Studio to get BLOB data our of Sql Server?

    - by Eric
    I'm sorry if this question has been asked already, but I couldn't find it anywhere. I have a table that stores files as BLOBS. The column that holds the file is an image datatype. I would like to be able to extract the binary data out of the column and turn it in to an actual file. I would ideally like to be able to do this with BCP or management studio if possible. I have tried BCP, but for some reason when I try and pull out an office document Word thinks it's corrupt. Here's what I've tried so far (obviously the values have been changed to protect the innocent :): bcp "select document_binary_data from database where id = 12345" queryout "c:\filename.doc" -n -S server -U username -P password This isn't working though? Any thoughts?

    Read the article

  • Security / Protecting code in JavaScript

    - by Evans
    With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.

    Read the article

  • What is the impact/limitation of oracle select with large number of bind variables?

    - by Igal Serban
    We had our oracle server chocking during processing a select statement with close to 3500(!!) bind variables. This select is, obviously, build dynamically by code that we can't change. During the execution of this select the db server went to 100% cpu usage and our system almost halted. We know how to reproduce this problem. So we can prevent this specific condition. But I am wondering if there is a way to protect the db ( by configuration) from this type of problems.

    Read the article

  • How do you handle passwords or credentials for standalone applications?

    - by Abel Morelos
    Let's say that you have a standalone application (a Java application in my case) and that this application has a configuration file (a XML file in my case) where you store the credentials (user and password) for a bunch of databases you need to connect. Everything works great, but now you discover (or your are given a new requirement like me) that you have to put this application in a different server and that you can't have these credentials in the configuration files because of security and/or compliance considerations. I'm considering to use data sources hosted in the application server (a WAS server), but I think this could have poor performance and maybe it's not the best approach since I'm connecting from a standalone application. I was also considering to use some sort of encryption, but I would like to keep things as simple as possible. How would you handle this case? Where would you put these credentials or protect them from being compromised? Or how would you connect to your databases in this scenario?

    Read the article

  • Reason for monolithic data files

    - by Ali Lown
    Primarily this seems to be a technique used by games, where they have all the sounds in one file, textures in another etc. With these files commonly reaching the GB size. What is the reason behind doing this over maintaining it all in subdirectories as small files - one per texture which many small games use this, with the monolithic system being favoured by larger companies? Is there some file system overhead with lots of small files? Are they trying to protect their property - although most just seem to be a compressed file with a new extension?

    Read the article

  • Java Security filter together with thickbox pop-ups

    - by user197127
    Hi, I have a java application that uses a security filter to protect certain resources. If there is no user logged on, it will keep in session the request path and redirect to a logon page. After a successful logon, user is redirected to the original requested page. I have now added some thickbox (ajax bases pop-up) popups to the application. Unfortunately, when I get now a popup that is "secure" the filter redirects to a logon page (which is not a popup) and makes the whole application messy. Anyone with ideas on how to solve this? Thanks

    Read the article

  • How to create digital signature that can not be used to reproduce the message twice

    - by freediver
    I am creating a client-server application and I'd like to send data from server to client securely. Using public/private key algorithms makes sense and in PHP we can use openssl_sign and openssl_verify functions to check that the data came by someone who has the private key. Now imagine that one of the actions sent by server to client is destructive in nature. If somebody uses an HTTP sniffer to catch this command (which will be signed properly) how can I further protect the communication to ensure that only commands coming from our server get processed by the client? I was thinking about using current UTC time as part of the encrypted data but client time might be off. Is there a simple solution to the problem?

    Read the article

< Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44  | Next Page >