Search Results

Search found 16101 results on 645 pages for 'owsm webservices ws security ws trust soa secuirty'.

Page 49/645 | < Previous Page | 45 46 47 48 49 50 51 52 53 54 55 56  | Next Page >

• Spring security custom principal bean

  - by wuntee

  I have a web application that is set up to use the default ldap server/authentication manager/authentication provider/user service. I have another DAO that already does majority of the work that those do (besides the authenticating a user) using Spring-LDAP. My problem is that I want the principal to be of my own custom bean class. What is the simplest way to do this? Initially I was thinking to create a custom authentication provider, but since the default one does exactly what I want, there doesnt seem to be a need. I am thinking I just need to override whatever object actually returns the Principal bean. Is this possible, and able to be injected into the security ldap authenticator context?

  Read the article

• security issue of Linux sudo command?

  - by George2

  Hello everyone, 1. I am using Red Hat Enterprise 5 Linux box. I find if a user is in /etc/sudoers file, then if the user run command with sudo, the user will run this command with root privilege (without knowing root password, the user runs sudo only need to input the user's own password in order to run a command with sudo). Is that correct understanding? 2. If yes, then is it a security hole? Since users other than root could run with root privilege? thanks in advance, George

  Read the article

• Security flaw in this code approach

  - by Alec Smart

  Hello, Am wondering if there would be any security flaw in this approach. I am writing a piece of code which allows users to upload files and another set to download those files. These files can be anything. User uploads the file (any file including .php files), it is renamed to an md5 hash (extension removed) and stored on server. A corresponding mySQL entry is made. The user trying to download the file, uses say download.php to download the file where the md5 file is sent (with the original name). Is there someway in which anyone can exploit the above scenario?

  Read the article

• Spring security accessing principal

  - by wuntee

  When using spring security, specifically with @notation; what is the proper way to access the principal in a Controller? Lets say the following is my controller, but I would like to access the principal in the secure() method somewhere... @Controller public class LoginController { @RequestMapping(value = "/login", method = RequestMethod.GET) public String login(ModelMap map, @RequestParam(value="fail" , required=false) String fail){ map.addAttribute("title", "Login: AD Credentials"); if(fail != null){ map.addAttribute("error", "Invalid credentials"); } return("login"); } @RequestMapping("/secure") @PreAuthorize("isAuthenticated()") public String secure(ModelMap map, String principal){ System.out.println(principal); return("secure"); } }

  Read the article

• Image Uploading - security issues

  - by TenaciousImpy

  Hi, I'm developing an ASP.NET Web app and would like the user to be able to either upload an image from their local system, or pass in a URL to an image. The image can either be a JPG or PNG. What security issues should I be concerned about doing this? I've seen various ways of embedding code within JPG files. Are there any methods in C# (or external libraries) which can confirm that a file is a JPG/PNG, otherwise throw an error? At the very least, I'm making the directory which holds uploaded images non-browsable and putting a max size limit of 1mb, but I'd like to implement further checks. Thanks for any advice.

  Read the article

• Entry lvl. COBOL Control Breaks

  - by Kyle Benzle

  I'm working in COBOL with a double control break to print a hospital record. The input is one record per line, with, hospital info first, then patient info. There are multiple records per hospital, and multiple services per patient. The idea is, using a double control break, to print one hospital name, then all the patients from that hospital. Then print the patient name just once for all services, like the below. I'm having trouble with my output, and am hoping someone can help me get it in order. I am using AccuCobol to compile experts-exchange does not allow .cob and .dat so the extentions were changed to .txt The files are: the .cob lab5b.cob the input / output: lab5bin.dat, lab5bout.dat The assignment: http://www.cse.ohio-state.edu/~sgomori/314/lab5.html Hospital Number: 001 Hospital Name: Mount Carmel 00001 Griese, Brian Ear Infection 08/24/1999 300.00 Diaper Rash 09/05/1999 25.00 Frontal Labotomy 09/25/1999 25,000.00 Rear Labotomy 09/26/1999 25,000.00 Central Labotomy 09/28/1999 24,999.99 The total amount owed for this patient is: $.......... (End of Hospital) The total amount owed for this hospital is: $......... enter code here IDENTIFICATION DIVISION. PROGRAM-ID. LAB5B. ENVIRONMENT DIVISION. INPUT-OUTPUT SECTION. FILE-CONTROL. SELECT FILE-IN ASSIGN TO 'lab5bin.dat' ORGANIZATION IS LINE SEQUENTIAL. SELECT FILE-OUT ASSIGN TO 'lab5bout.dat' ORGANIZATION IS LINE SEQUENTIAL. DATA DIVISION. FILE SECTION. FD FILE-IN. 01 HOSPITAL-RECORD-IN. 05 HOSPITAL-NUMBER-IN PIC 999. 05 HOSPITAL-NAME-IN PIC X(20). 05 PATIENT-NUMBER-IN PIC 99999. 05 PATIENT-NAME-IN PIC X(20). 05 SERVICE-IN PIC X(30). 05 DATE-IN PIC 9(8). 05 OWED-IN PIC 9(7)V99. FD FILE-OUT. 01 REPORT-REC-OUT PIC X(100). WORKING-STORAGE SECTION. 01 WS-WORK-AREAS. 05 WS-HOLD-HOSPITAL-NUM PIC 999 VALUE ZEROS. 05 WS-HOLD-PATIENT-NUM PIC 99999 VALUE ZEROS. 05 ARE-THERE-MORE-RECORDS PIC XXX VALUE 'YES'. 88 MORE-RECORDS VALUE 'YES'. 88 NO-MORE-RECORDS VALUE 'NO '. 05 FIRST-RECORD PIC XXX VALUE 'YES'. 05 WS-PATIENT-TOTAL PIC 9(9)V99 VALUE ZEROS. 05 WS-HOSPITAL-TOTAL PIC 9(9)V99 VALUE ZEROS. 05 WS-PAGE-CTR PIC 99 VALUE ZEROS. 01 WS-DATE. 05 WS-YR PIC 9999. 05 WS-MO PIC 99. 05 WS-DAY PIC 99. 01 HL-HEADING1. 05 PIC X(49) VALUE SPACES. 05 PIC X(14) VALUE 'OHIO INSURANCE'. 05 PIC X(7) VALUE SPACES. 05 HL-PAGE PIC Z9. 05 PIC X(14) VALUE SPACES. 05 HL-DATE. 10 HL-MO PIC 99. 10 PIC X VALUE '/'. 10 HL-DAY PIC 99. 10 PIC X VALUE '/'. 10 HL-YR PIC X VALUE '/'. 01 HL-HEADING2. 05 PIC XXXXXXXXXX VALUE 'HOSPITAL: '. 05 HL-HOSPITAL PIC 999. 01 HL-HEADING3. 05 PIC X(7) VALUE "Patient". 05 PIC X(3) VALUE SPACES. 05 PIC X(7) VALUE "Patient". 05 PIC X(39) VALUE SPACES. 05 PIC X(7) VALUE "Date of". 05 PIC X(3) VALUE SPACES. 05 PIC X(6) VALUE "Amount". 01 HL-HEADING4. 05 PIC X(6) VALUE "Number". 05 PIC X(4) VALUE SPACES. 05 PIC X(4) VALUE "Name". 05 PIC X(18) VALUE SPACES. 05 PIC X(10) VALUE "Service". 05 PIC X(14) VALUE SPACES. 05 PIC X(8) VALUE "Service". 05 PIC X(2) VALUE SPACES. 05 PIC X(5) VALUE "Owed". 01 DL-PATIENT-LINE. 05 PIC X(28) VALUE SPACES. 05 DL-PATIENT-NUMBER PIC XXXXX. 05 PIC X(21) VALUE SPACES. 05 DL-PATIENT-TOTAL PIC $$$,$$$,$$9.99. 01 DL-HOSPITAL-LINE. 05 PIC X(47) VALUE SPACES. 05 PIC X(16) VALUE 'HOSPITAL TOTAL: '. 05 DL-HOSPITAL-TOTAL PIC $$$,$$$,$$9.99. PROCEDURE DIVISION. 100-MAIN-MODULE. PERFORM 600-INITIALIZATION-RTN PERFORM UNTIL NO-MORE-RECORDS READ FILE-IN AT END MOVE 'NO ' TO ARE-THERE-MORE-RECORDS NOT AT END PERFORM 200-DETAIL-RTN END-READ END-PERFORM PERFORM 400-HOSPITAL-BREAK PERFORM 700-END-OF-JOB-RTN STOP RUN. 200-DETAIL-RTN. EVALUATE TRUE WHEN FIRST-RECORD = 'YES' MOVE PATIENT-NUMBER-IN TO WS-HOLD-PATIENT-NUM MOVE HOSPITAL-NUMBER-IN TO WS-HOLD-HOSPITAL-NUM PERFORM 500-HEADING-RTN MOVE 'NO ' TO FIRST-RECORD WHEN HOSPITAL-NUMBER-IN NOT = WS-HOLD-HOSPITAL-NUM PERFORM 400-HOSPITAL-BREAK WHEN PATIENT-NUMBER-IN NOT = WS-HOLD-PATIENT-NUM PERFORM 300-PATIENT-BREAK END-EVALUATE ADD OWED-IN TO WS-PATIENT-TOTAL. 300-PATIENT-BREAK. MOVE WS-PATIENT-TOTAL TO DL-PATIENT-TOTAL MOVE WS-HOLD-PATIENT-NUM TO DL-PATIENT-NUMBER WRITE REPORT-REC-OUT FROM DL-PATIENT-LINE AFTER ADVANCING 2 LINES ADD WS-PATIENT-TOTAL TO WS-HOSPITAL-TOTAL IF MORE-RECORDS MOVE ZEROS TO WS-PATIENT-TOTAL MOVE PATIENT-NUMBER-IN TO WS-HOLD-PATIENT-NUM END-IF. 400-HOSPITAL-BREAK. PERFORM 300-PATIENT-BREAK MOVE WS-HOSPITAL-TOTAL TO DL-HOSPITAL-TOTAL WRITE REPORT-REC-OUT FROM DL-HOSPITAL-LINE AFTER ADVANCING 2 LINES IF MORE-RECORDS MOVE ZEROS TO WS-HOSPITAL-TOTAL MOVE HOSPITAL-NUMBER-IN TO WS-HOLD-HOSPITAL-NUM PERFORM 500-HEADING-RTN END-IF. 500-HEADING-RTN. ADD 1 TO WS-PAGE-CTR MOVE WS-PAGE-CTR TO HL-PAGE MOVE WS-HOLD-HOSPITAL-NUM TO HL-HOSPITAL WRITE REPORT-REC-OUT FROM HL-HEADING1 AFTER ADVANCING PAGE WRITE REPORT-REC-OUT FROM HL-HEADING2 AFTER ADVANCING 2 LINES. WRITE REPORT-REC-OUT FROM HL-HEADING3 AFTER ADVANCING 2 LINES. 600-INITIALIZATION-RTN. OPEN INPUT FILE-IN OUTPUT FILE-OUT *159 ACCEPT WS-DATE FROM DATE YYYYMMDD MOVE WS-YR TO HL-YR MOVE WS-MO TO HL-MO MOVE WS-DAY TO HL-DAY. 700-END-OF-JOB-RTN. CLOSE FILE-IN FILE-OUT.

  Read the article

• Security problem

  - by Mehmet Kaleli

  Hi All. I have a security problem in my website. A script code was added into my all pages like "<script src="Ip address/viewpic.asp"></script>" . It is between </head> and <body> tag. Now Google says "this site may be hartful for your pc!" about my site. How can i secure my website? I use C# and Visual Studio 2008.

  Read the article

• Methods for ensuring security between users in multi-user applications

  - by Emilio

  I'm writing a multiuser application (.NET - C#) in which each user's data is separated from the others and there is no data that's common between users. It's critical to ensure that no user has access to another user's data. What are some approaches for implementing security at the database level and/or in the application architecture to to accomplish this? For example (and this is totally made up - I'm not suggesting it's a good or bad approach) including a userID column in all data tables might be an approach. I'm developing the app in C# (asp.net) and SQL Server 2008. I'm looking for options that are are either native in the tools I'm using or general patterns.

  Read the article

• Help with Role Based Security.

  - by Bill K

  Hello, I'm trying to understand role based security and I have the following method: [PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] static void Test() { //administratos only can call this code } What I wanna do is that only users that are members of the Windows Administrators group can call this code, however, if I do the following, it works: GenericIdentity genericIdentity = new GenericIdentity("test", "test"); GenericPrincipal genericPrincipal = new GenericPrincipal(genericIdentity, new string[] { "Administrators" }); AppDomain.CurrentDomain.SetThreadPrincipal(genericPrincipal); Test(); So, how can I make it work only if the user is in the Administrators windows group? thanks!

  Read the article

• Quick MySQLi security question

  - by Benjamin Falk

  I have a quick MySQLi security related question... For example, take a look at this code (gets in put from the user, checks it against the database to see if the username/password combination exist): $input['user'] = htmlentities($_POST['username'], ENT_QUOTES); $input['pass'] = htmlentities($_POST['password'], ENT_QUOTES); // query db if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?")) { $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt'])); $stmt->execute(); $stmt->store_result(); // check if there is a match in the database for the user/password combination if ($stmt->num_rows > 0) {} } In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?

  Read the article

• Reading data from a socket, considerations for robustness and security

  - by w.brian

  I am writing a socket server that will implement small portions of the HTTP and the WebSocket protocol, and I'm wondering what I need to take into consideration in order to make it robust/secure. This is my first time writing a socket-based application so please excuse me if any of my questions are particularly naive. Here goes: Is it wrong to assume that you've received an entire HTTP request (WebSocket request, etc) if you've read all data available from the socket? Likewise, is it wrong to assume you've only received one request? Is TCP responsible for making sure I'm getting the "message" all at once as sent by the client? Or do I have to manually detect the beginning and end of each "message" for whatever protocol I'm implementing? Regarding security: What, in general, should I be aware of? Are there any common pitfalls when implementing something like this? As always, any feedback is greatly appreciated.

  Read the article

• Security issues with rights to Network Service account

  - by Shrewd Demon

  hi, i have a page where the user can upload files on the server. Due to some problem related to account rights it was not working. Then i gave full rights to the Network Service account. I just wanted to know if there are any security breaching related issues with this solution, because i will be publishing the same to the client. If there are problems with this then kindly help with proper solution. any help will be appreciated... thank you.

  Read the article

• Testing ASP.NET security in Firefox

  - by blahblah

  I'm not sure whether this question belongs on StackOverflow or SuperUser, but here goes nothing... I'm trying to test out some basic security problems on my personal ASP.NET website to see exactly how the custom validators, etc. work when tampering with the data. I've been looking at the Firefox extension TamperData which seems to do the trick, but it doesn't feel very professional at all. The issues I'm having with TamperData is that the textbox for the POST data is way too small to hold the ASP.NET view-state, so I have to copy that data into Emacs and then back again to be productive at all. I also don't like that there doesn't seem to be an option to only tamper with data which is from/to localhost. Any ideas on better extensions for the task or better methods to test it?

  Read the article

• Multiple webservices in 1 ear/ejb project

  - by arinte

  We have a ejb project (which is in an ear) that shares quite a bit of code between 2 webservices. The classes that the webservices expose are in different packages but they have different names. For example Web service1 com.d.trunk.Response WS1.process( com.d.trunk.Input ); Web service2 com.d.fwd.Response WS2.process( com.d.fwd.Input ); So this builds fine, but when we deploy and we view the generated wsdl and the generated xsd things begin to go a bit haywire. So if we look at web service 2 it generates the wsdl and xsd as we expect. But when we look at ws 1's wsdl for some reason it includes the xsd from the ws 2 and its own xsd. And its own xsd are missing key types like the Response type. Is this an issue because we have 2 web services in 1 ejb project? Or some config issue with Netbeans 6.7.1 and glassfish v2?

  Read the article

• What would you like to see in an beginner's ASP.NET security book

  - by blowdart

  This is a shameless information gathering exercise for my own book. One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Form Requests and so on. So, if you can think back to being one, as a beginning web developer (be it ASP.NET or not) what do you feel would be useful information about web security and how to develop securely? I will already be covering the OWASP Top Ten (And yes this means stackoverflow will be in the acknowledgements list if someone comes up with something I haven't thought of yet!) It's all done now, and published, thank you all for your responses

  Read the article

• Security in API authentication

  - by Carlos

  We are in the process of revamping our server side API, and we need to manage security. Our current model requires that a credentials object (containing user, password, and pin) be included in each method invocation. Our development team, however, has decided that we should have session objects instead (which is fine by me), but the new credentials are just a GUID. This is very different from what I've seen in other APIs in our industry, so I'm a bit concerned about how secure the new model will be. I asked them if they had analyzed both alternatives, and they said they haven't. Does anyone know if there're any clear advantages, disadvantages, risks, etc. of using a set of credentials versus just one element (complex as it may be)? PS: the communication channel would be secure in either case, and it's separate from this particular topic

  Read the article

• google account security ?

  - by Chez

  I want to write a web-app which would ask the user to pass their google account (user and pwd) so that it can access their google data. I understand google supports alternative ways to do this, such as AuthSub and OathAuthSub. Also google discourages apparently clientLogin (which would be my approach) for web apps. My question is: if I were asking the user to register to my app by passing me a 'read only' google account ? so effectively I don't ask them to pass me their account but to create another account which is readonly. does anybody see anything wrong with this ? am I missing something ? Since their google account continues to be the admin they don't risk (in terms of security) anything. Any help would be welcome ? Thanks

  Read the article

• Apache security for multi-user development web server.

  - by mrmartinblue

  I've been searching and reading through documents all morning and understand that I need to use some combination of chown and probably 'jailing' to securely give programmers access to directories on my centos webserver. Here's the situation: I have an apache web server that has any number of virtual sites located in /var/www/site1 /var/www/site2 etc.. I have different developers that need full access both ssh and vsFTP to only the site they are working on. What is the best way to create and maintain security in this scenario. My thought would be to create a new user for each coder, jail that user to the website directory they are allowed to work in, add their user to a group and set the webroot's owner to that group. Any thoughts? Good, bad, ugly? Thanks!

  Read the article

• Spring security and Struts 2

  - by Thanksforfish

  I have a struts2 action with an @Secured({"ROLE_ADMIN"}) to secure the execute method. In the execute method i assign a message to a member variable of the action, then return SUCCESS and end up on the jsp page. On the page I retrieve the actions member variable with <sroperty. private String greeting; public String execute() throws Exception { this.greeting="Hello"; return SUCCESS; } // getters and setters for greeting ... <s:property value="greeting" /> The problem is when the secured annotation is present the jsp shows nothing for the member variable but when @Secured is removed the whole thing behaves properly and shows the message that was set into the member variable. It appears that the actual security is working ok but when enabled via the annotation the member variable (or maybe the instance of the action) is not making its way onto the value stack. I cant see any error messages.

  Read the article

• ASP.Net Roles: Page-Level Security Question

  - by jlrolin

  We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to. We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access. A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.

  Read the article

• Handling user security scope with nHibernate or other ORM

  - by Schotime

  How should one handle the situation where you may need to filter by a group of users. Here is the scenario. I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over. A plain old user however should only be able to access their own data. If you are writing regular sql statements then you can have a security table with every user and who they have access too but i'm not sure how to handle this situation in the OO and ORM world. Any one dealt with this scenario in a web application using an ORM? Would love to hear your thoughts!

  Read the article

• help in security assignment

  - by scatman

  i have to write a program that sniffs network packets (part1-the simple part). and i have to update the program (part2) so that it will be able to terminate connections. the specific requirements are: construct raw packets by specifying data link layer and network layer information including appropriate source and destination MAC and IP addresses. These packets are intended to terminate the connection. To do so, you should used SOCK_RAW as the socket type to be able to set the header information by yourself. can anybody give me some ideas on the second part? should i hijack the session,apply a dos attack on one of the users?? all i need is some tips of how to terminate the connection. i am using c programming language. and this is a course assignment for the security course.

  Read the article

• Form Security (discussion)

  - by Eray Alakese

  I'm asking for brain storming and sharing experience. Which method you are using for form submiting security ? For example , for block automatically sended POST or GET datas, i'm using this method : // Generating random string <?php $hidden = substr(md5(microtime()) ,"-5"); ?> <form action="post.php" .... // assing this random string to a hidden input <input type="hidden" value="<?php echo $hidden;" name="secCode> // and then put this random string to a session variable $_SESSION["secCode"] = $hidden; **post.php** if ($_POST["secCode"] != $_SESSION["secCode"]) { die("You have to send this form, on our web site"); }

  Read the article

• Security question

  - by Syom

  in my cms i have index.php, where client must enter username and password. if they are correct, he'll moove to admin.php, where the cms is. but now hacker can enter to cms/admin.php, so my security now is awful. i know, that i can use $_SESSION variable. index.php - i can give some value to $_SESSION['success']: $_SESSION['success'] = TRUE, and in admin.php just verify it admin.php if($_SESSION['success'] == TRUE) { my script here... } else header("Location: index.php"); but i want to rich this effect without SESSION. could you give me an idea, how can i do it? thanks

  Read the article

• Security of PHP script, embedded or otherwise

  - by typoknig

  Hi all, I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?

  Read the article

< Previous Page | 45 46 47 48 49 50 51 52 53 54 55 56  | Next Page >