Search Results

Search found 15415 results on 617 pages for 'security groups'.

Page 85/617 | < Previous Page | 81 82 83 84 85 86 87 88 89 90 91 92  | Next Page >

  • ASP.NET MVC: Using ProfileRequiredAttribute to restrict access to pages

    - by DigiMortal
    If you are using AppFabric Access Control Services to authenticate users when they log in to your community site using Live ID, Google or some other popular identity provider, you need more than AuthorizeAttribute to make sure that users can access the content that is there for authenticated users only. In this posting I will show you hot to extend the AuthorizeAttribute so users must also have user profile filled. Semi-authorized users When user is authenticated through external identity provider then not all identity providers give us user name or other information we ask users when they join with our site. What all identity providers have in common is unique ID that helps you identify the user. Example. Users authenticated through Windows Live ID by AppFabric ACS have no name specified. Google’s identity provider is able to provide you with user name and e-mail address if user agrees to publish this information to you. They both give you unique ID of user when user is successfully authenticated in their service. There is logical shift between ASP.NET and my site when considering user as authorized. For ASP.NET MVC user is authorized when user has identity. For my site user is authorized when user has profile and row in my users table. Having profile means that user has unique username in my system and he or she is always identified by this username by other users. My solution is simple: I created my own action filter attribute that makes sure if user has profile to access given method and if user has no profile then browser is redirected to join page. Illustrating the problem Usually we restrict access to page using AuthorizeAttribute. Code is something like this. [Authorize] public ActionResult Details(string id) {     var profile = _userRepository.GetUserByUserName(id);     return View(profile); } If this page is only for site users and we have user profiles then all users – the ones that have profile and all the others that are just authenticated – can access the information. It is okay because all these users have successfully logged in in some service that is supported by AppFabric ACS. In my site the users with no profile are in grey spot. They are on half way to be users because they have no username and profile on my site yet. So looking at the image above again we need something that adds profile existence condition to user-only content. [ProfileRequired] public ActionResult Details(string id) {     var profile = _userRepository.GetUserByUserName(id);     return View(profile); } Now, this attribute will solve our problem as soon as we implement it. ProfileRequiredAttribute: Profiles are required to be fully authorized Here is my implementation of ProfileRequiredAttribute. It is pretty new and right now it is more like working draft but you can already play with it. public class ProfileRequiredAttribute : AuthorizeAttribute {     private readonly string _redirectUrl;       public ProfileRequiredAttribute()     {         _redirectUrl = ConfigurationManager.AppSettings["JoinUrl"];         if (string.IsNullOrWhiteSpace(_redirectUrl))             _redirectUrl = "~/";     }              public override void OnAuthorization(AuthorizationContext filterContext)     {         base.OnAuthorization(filterContext);           var httpContext = filterContext.HttpContext;         var identity = httpContext.User.Identity;           if (!identity.IsAuthenticated || identity.GetProfile() == null)             if(filterContext.Result == null)                 httpContext.Response.Redirect(_redirectUrl);          } } All methods with this attribute work as follows: if user is not authenticated then he or she is redirected to AppFabric ACS identity provider selection page, if user is authenticated but has no profile then user is by default redirected to main page of site but if you have application setting with name JoinUrl then user is redirected to this URL. First case is handled by AuthorizeAttribute and the second one is handled by custom logic in ProfileRequiredAttribute class. GetProfile() extension method To get user profile using less code in places where profiles are needed I wrote GetProfile() extension method for IIdentity interface. There are some more extension methods that read out user and identity provider identifier from claims and based on this information user profile is read from database. If you take this code with copy and paste I am sure it doesn’t work for you but you get the idea. public static User GetProfile(this IIdentity identity) {     if (identity == null)         return null;       var context = HttpContext.Current;     if (context.Items["UserProfile"] != null)         return context.Items["UserProfile"] as User;       var provider = identity.GetIdentityProvider();     var nameId = identity.GetNameIdentifier();       var rep = ObjectFactory.GetInstance<IUserRepository>();     var profile = rep.GetUserByProviderAndNameId(provider, nameId);       context.Items["UserProfile"] = profile;       return profile; } To avoid round trips to database I cache user profile to current request because the chance that profile gets changed meanwhile is very minimal. The other reason is maybe more tricky – profile objects are coming from Entity Framework context and context has also HTTP request as lifecycle. Conclusion This posting gave you some ideas how to finish user profiles stuff when you use AppFabric ACS as external authentication provider. Although there was little shift between us and ASP.NET MVC with interpretation of “authorized” we were easily able to solve the problem by extending AuthorizeAttribute to get all our requirements fulfilled. We also write extension method for IIdentity that returns as user profile based on username and caches the profile in HTTP request scope.

    Read the article

  • Securing data inside Azure SQL? Any good libraries or DIY?

    - by Sid
    Azure SQL doesn't support many of the encryption features found in SQL Server (Table and Column encryption). We need to store some sensitive information that needs to be encrypted and we've rolled our own using AesCryptoServiceProvider to encrypt/decrypt data to/from the database. This solves the immediate issue (no cleartext in db) but poses other problems like Key rotation (we have to roll our own code for this, walking through the db converting old cipher text into new cipher text) metadata mapping of which tables and which columns are encrypted. This is simple with it's a few but quickly gets out of hand ... So are there any libraries out there that do this well? Any other resources or design patterns I can be pointed to?

    Read the article

  • game multiplayer service development

    - by nomad
    I'm currently working on a multiplayer game. I've looked at a number of multiplayer services(player.io, playphone, gamespy, and others) but nothing really hits the mark. They are missing features, lack platform support or cost too much. What I'm looking for is a simple poor man's version of steam or xbox live. Not the game marketplace side of those two but the multiplayer services. User accounts, profiles, presence info, friends, game stats, invites, on/offline messaging. Basically I'm looking for a unified multiplayer platform for all my games across devices. Since I can't find what I'm planning to roll my own piece by piece. I plan to save on server resources by making most of the communication p2p. Things like game data and voice chat can be handled between peers and the server keeps track of user presence and only send updates when needed or requested. I know this runs the risk of cheating but that isn't a concern right now. I plan to run this on a Amazon ec2 micro server for development then move to a small to large instance when finished. I figure user accounts would be the simplest to start with. Users can create accounts online or using in game dialog, login/out, change profile info. The user can access this info online or in game. I will need user authentication and secure communication between server and client. I figure all info will be stored in a database but I dont know how it can be stored securely and accessed from webserver and game services. I would appreciate and links to tutorials, info or advice anyone could provide to get me started. Any programming language is fine but I plan to use c# on the server and c/c++ on devices. I would like to get started right away but I'm in no hurry to get it finished just yet. If you know of a service that already fits my requirements please let me know.

    Read the article

  • HTG Explains: What Is Two-Factor Authentication and Should I Be Using It?

    - by Jason Fitzpatrick
    More and more banks, credit card companies, and even social media networks and gaming sites are starting to use two-factor authentication. If you’re a little unclear on what it is or on why you’d want to start using it, read on to learn how two-factor authentication can keep your data secure. HTG Explains: What Is Two-Factor Authentication and Should I Be Using It? HTG Explains: What Is Windows RT and What Does It Mean To Me? HTG Explains: How Windows 8′s Secure Boot Feature Works & What It Means for Linux

    Read the article

  • Does the deprecation of mysql_* functions in PHP carry over to other Databases(MSSQL)?

    - by MobyD
    I'm not talking about MySQL, I'm talking about Microsoft SQL Server I've been aware of PDO for quite some time now, standard mysql functions are dangerous and should be avoided. http://php.net/manual/en/function.mysql-connect.php But what about the MSSQL function in PHP? They are, for most purposes, identical sets of functions, but the PHP page describing mssql_* carries no warning of deprecation. http://us.php.net/manual/en/function.mssql-connect.php There are PDO drivers available for MSSQL, but they aren't quite as readily available or used as the MySQL drivers. Ideally, it looks to me like I should get them working and move from mssql_* to PDO like I have with MySQL, but is it as big of a priority? Is there some hidden safety to MSSQL that means it's exempt from all of the mysql_* hatred as of late? Or is its obscurity as a backend the only reason there hasn't been more PDO encouragement?

    Read the article

  • Which tool to use for "home banking"?

    - by Huygens
    I would like to manage my bank accounts in a secure manner on Ubuntu. I saw several applications in the Software Centre, but I don't know which one to choose. I don't need fancy features like stock options. I just have regular accounts which I want to follow, I don't want complicated stuff. As bank data are quite sensitive, I would highly prefer an application that does encryption of the data. Though, if you have a really cool app but it does not have this feature, as long as it offers to store the data in one dedicated place, I could do with encrypting that place. So what tool do you use that could fit my needs?

    Read the article

  • How to disable cryptswap?

    - by mit
    How can I disable cryptswap? I would like an unencrypted swap like before. This is on an ubuntu 9.10 system. It worked. First I removed the lines from /etc/fstab and /etc/crypttab. But it was not possible (and maybe not necessary?) to use the command sudo cryptsetup remove crytswap1 Before rebooting it was not possible (because cryptswap1 was still in use) and after rebooting cryptswap1 was already inactive. I removed cryptsetup from the system afterwards: sudo aptitude remove cryptsetup

    Read the article

  • Building TrueCrypt on Ubuntu 13.10

    - by linuxubuntu
    With the whole NSA thing people tried to re-build identically looking binaries to the ones which truecrypt.org provides, but didn't succeed. So some think they might be compiled with back-doors which are not in the source code. - So how compile on the latest Ubuntu version (I'm using UbuntuGNOME but that shouldn't matter)? I tried some tutorials for previous Ubuntu versions but they seem not to work any-more? edit: https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ Now you might think "ok, we don't need to build", but: To build he used closed-source software and there are proof-of-concepts where a compromised compiler still put backdoors into the binary: 1. source without backdoors 2. binary identically to the reference-binary 3. binary contains still backdoors

    Read the article

  • What is the best policy for allowing clients to change email?

    - by Steve Konves
    We are developing a web application with a fairly standard registration process which requires a client/user to verify their email address before they are allowed to use the site. The site also allows users to change their email address after verification (with a re-type email field, as well). What are the pros and cons of having the user re-verify their email. Is this even needed? EDIT: Summary of answers and comments below: "Over-verification annoys people, so don't use it unless critical Use a "re-type email" field to prevent typos Beware of overwriting known good data with potentially good data Send email to old for notification; to new for verification Don't assume that the user still has access to the old email Identify impact of incorrect email if account is compromised

    Read the article

  • After Installation Whole Disk Encryption? 12.04

    - by Luke
    I know some fragments of this question have been asked in previous posts and I have reviewed them - however I have a more thorough question... I did not choose to do whole disk encryption when I used the alternative installer to install my 12.04 distro. I thought that truecypt worked with linux on system drive (whole disk) encryption - but sadly found out it did not. I have totally tweaked and pimped out my installation and I do not want to have to go back and "install" to just get whole disk encryption. Any alternatives that anyone knows of? I don't want just /home... I want the whole system installation protected and made secure so that when I boot I get a password to unencrypt.

    Read the article

  • Hide admin menu if no admin option is available

    - by Jorge
    If you have a menu "Admin tasks" and different admin tasks (like 10) that you could separately assign to each user, but there are users who don't have any admin tasks, how would you deal with "Hiding admin menu" for those users? I was thinking of 3 ways: 1) Javascript, check if Admin menu is empty and then hide it. 2) Check for all permissions in Admin menu, with a counter, and show it if counter 0. And then also re-check the permissions for each item to show. 3) Save all permissions in associative array. Test all and assign ' true' to granted items. When building the menu, have a function that tests if there is at least one permission granted. I wouldn't need to re-check permissions against DB, just against the array for each item. Is there any better way?

    Read the article

  • Secure login for a game that is open source

    - by David Park
    I am making a game which i will be open sourcing. Its a simple arcade like game but requires a network connection because it is meant to be played with other people. The thing i am worrying about is how would i be sure that the client is the one that i put out for the end user to play with? Kind of a like of sv_pure for Team Fortress 2. I was thinking of different ways to combat this such as the server requesting the client's version or even it's md5 hash but people with simple java knowledge could just force a method to always return what the server wants.

    Read the article

  • How would I tell if a prospective client website is under DDoS attack?

    - by artlung
    I have a person asking me whether the DDoS Mitigation Service they're using is worth it. This is out of my expertise, but clearly at some point someone sold this service to the client. Assuming I don't have anything but a domain name, what information can I gather about whether they are indeed under attack and/or how well the DDoS Mitigation Service is working? Assume I don't have any administrative access to the site/server(s) in question.

    Read the article

  • How disable mysql command in sudoers file?

    - by Carlos A. Junior
    How i can disable /usr/bin/mysql command in sudoers file ? ... Actually I've tryed use with this way: %tailonly ALL=!/usr/bin/mysql But when i'm access if user 'tailonly' of group 'tailonly', this command still enabled. In resume, i'm only want that 'tailonly' user access 'tail -f /usr/app/*.log' ... This is possible ? Edit: With this config, the user 'tailonly' still can access mysql terminal with 'mysql' command: $: sudo su $: visudo Cmnd_Alias MYSQL = /usr/bin/mysql Cmnd_Alias TAIL=/usr/bin/tail -f /jacad/jacad3/logs/*.log # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %swa ALL=/etc/init.d/jacad3 stop %swa ALL=/etc/init.d/jacad3 start %swa ALL=/etc/init.d/jacad3 restart %swa ALL=sudoedit /jacad/jacad3/bin/jacad_start.sh %tailonly ALL=ALL,!MYSQL

    Read the article

  • Validating allowed characters or validating disallowed characters

    - by Tom
    I've always validated my user input based on a list of valid/allowed characters, rather than a list of invalid/disallowed characters (or simply no validation). It's just a habit I picked up, probably on this site and I've never really questioned it until now. It makes sense if you wish to, say, validate a phone number, or validate an area code, however recently I've realised I'm also validating input such as Bio Text fields, User Comments, etc. for which the input has no solid syntax. The main advantage has always seemed to be: Validating allowed chars reduces the risk of you missing a potentially malicious character, but increases the risk the of you not allowing a character which the user may want to use. The former is more important. But, providing I am correctly preventing SQL Injection (with prepared statements) and also escaping output, is there any need for this extra barrier of protection? It seems to me as if I am just allowing practically every character on the keyboard, and am forgetting to allow some common characters. Is there an accepted practice for this situation? Or am I missing something obvious? Thanks.

    Read the article

  • Checking for cross-site scripting vulnerabilities in Perl web applications

    - by David Scholefield
    I'm putting together some notes for a dev team on how to write secure Perl code - especially taking into account the current OWASP top 10 web application vulnerabilities. For cross-site scripting I've included information on ensuring that all output to the browser is checked and escaped where necessary, but I'm looking for more automated mechanisms that would mean a developer doesn't have to think about every output statement and, potentially, miss one. Perl's 'taint' function sounds like it should be a help because it distrusts all user input, but it doesn't complain on tainted data being output to the browser. Apart from checking all output statements individually (probably by calling a generic sanitizing function) does anyone have any ideas on how Perl can help with this with existing libraries or techniques?

    Read the article

  • A good tool for browser automation/client-side Web scripting

    - by hardmath
    I'm interested in adopting a tool/scripting language to automate some daily tasks connected with fighting forum spammers. A brief overview of these tasks: analyze new registrations and posts on a phpBB forum, and delete or deactivate spammers using a website/community that collects such spam reports. Typically such automation is integrated into the phpBB installation itself, which certainly has its advantages. My approach has the advantage of independent operation, etc. One way to think about this is in terms of browser automation. I've used iOpus iMacros for Firefox (the free version) in the past to respond to individual spammers, but current attacks are highly distributed. My "logic" for pigeonholing spammers vs. nonspammers seems beyond the easy reach of the free version of iMacros. From a more technical perspective one can think about dispensing with the browser altogether and programming GET/POST requests directed to my forum and other Web-based resources. I'm familiar with some scripting languages like Ruby and Lua, but I could be persuaded that a compiled application is better suited for these tasks. However in my experience the dynamic flexibility of interpreted environments is very useful in prototyping and debugging the application logic. So I'm leaning in the direction of scripting languages. Among browsers I favor Firefox and Chrome. I use both Windows and Linux platforms, and if the tool can adapt to an Android platform, it would make a neat demonstration of skills, yes? Thanks in advance for your suggestions!

    Read the article

  • modifying openssl library code

    - by Nouar Ismail
    I am ordered to check the availability to customize an encryption algorithm the IPsec protocol use in Ubuntu, if anyone have any suggestion about this point?. I've read that the encryption operation occur in libcrypto in openssl. when I tried to compile and install OpenSSL from source ..I had everything ok with the installation, but when to check the version installed on the system, with "dpkg -s openssl", it didn't seem that it's the version i had already installed, maybe it had been installed successfully, but the question is: would it be the version the system use for encryption operations? would it overwrite the old version? and would my changes in code have effects ? any help please? thank you in advance.

    Read the article

  • Free forum engine with good anti-attack mechanisms

    - by macias
    I am looking for forum engine (for discussions) with good attack countermeasures built in. Windows (preferrably) or Linux. Free (as beer). I think about registration flooding and blocking user accounts attacks. For registration, such engine should have at least: captcha blocking mulitple registrations from the same IP providing login (for logging in) and user name (for displaying the author of the posts) For logging in: no blocking on multiple tries -- instead after X try sending via mail a token, the third piece needed for next login -- without it logging in will be impossible (it would be similar to activation process) The engine should be designed with two ideas in mind: protecting engine against attacks 0 penalty for decent users Thank you in advance for your help and recommendations.

    Read the article

  • Is SimplePHPBlog a secure blogging engine?

    - by authentictech
    Has anyone used the blog engine SimplePHPBlog? It is a simple blog engine that uses only text files (no database). My problem with it is that the content directory where the texts files are stored appears to require being world writeable/readable (i.e. permission 777) for it to work. This means anyone can access the text files with a browser! These text files include the blog/comment poster's IP and email address! This is not secure or good practice, right?

    Read the article

  • How do I avoid spam domains pointing to my site or IP

    - by Amol Ghotankar
    I came across an issue where I saw some xyz.com is pointing to mydomain.com. How do I avoid spam domains pointing to my domain? I read some posts about setting my virtual hosts and such, but nothing specific about how to avoid it in the first place. I searched on Google but most answers are for HTTP servers and there are no exact answers for Tomcat 7. I am not using Apache or IIS, but Tomcat directly.

    Read the article

  • How to protect your real time online shooter from potential bots

    - by Zaky German
    I'm looking to create a multiplayer top down shooter. While i've read about different topics, i can see them i've got some real challenges ahead, but i'm all up for it. One thing i can't understand is how am i supposed to be protecting the game from people who try to create bots? What i mean is, as far as i understand, it's impossible to protect the network traffic in a way that players won't be able to create programs that listen to what's going on and understand it. So what worries me is that people can create bots that listen to the current location of rival players, and send communication that mimic as if the player is shooting in the exact "perfect" location to win that match. So what kind of techniques are used to protect real time games from such bots? Also i'd like to mention that i've tried searching for discussions (as this sounds like something many people struggle with), but couldn't find anything about it specifically, only as a part of broader questions about networking in real time games. If i should have looked harder feel free to put me in my place :) Thanks alot!

    Read the article

  • PCI compliance when using third-party processing

    - by Moses
    My company is outsourcing the development of our new e-commerce site to a third party web development company. The way they set up our site to handle transactions is by having the user enter the necessary payment info, then passing that data to a third party merchant that processes the payment, then completing the transaction if everything is good. When the issue of PCI/DSS compliance was raised, they said: You wont need PCI certification because the clients browser will send the sensitive information directly to the third party merchant when the transaction is processed. However, the process will be transparent to the user because all interface and displays are controlled by us. The only server required to be compliant is the third party merchant's because no sensitive card data ever touches your server or web app. Even though I very much so trust and respect the knowledge of our web developers, what they are saying is raising some serious red flags for me. The way the site is described, I am sure we will not be using a hosted payment page like PayPal or Google Checkout offers (how could we maintain control over UI if we were?) And while my knowledge of e-commerce is laughable at best, it seems like the only other option for us would be to use XML direct to communicate with our third party merchant for processing. My two questions are as follows: Based off everything you've read, is "XML Direct" the only option they could conceivably be using, or is there another method I don't know of which they could be implementing? Most importantly, is it true our site does not need PCI certification? As I understand it, using the XML direct method means that we do have to be PCI/DSS certified, and the only way around getting certified is through a payment hosted page (i.e. PayPal).

    Read the article

  • Performing user authentication in a CodeIgniter controller constructor?

    - by msanford
    In "The Clean Code Talks -- Unit Testing" (http://youtu.be/wEhu57pih5w), Miško Hevery mentions that "as little work as possible should be done in constructors [to make classes more easily testable]'. It got me thinking about the way I have implemented my user authentication mechanism. Having delved into MVC development through CodeIgniter, I designed my first web application to perform user authentication for protected resources in controllers' constructors in cases where every public function in that controller requires the user to be authenticated. For controllers with public methods having mixed authentication requirements, I would naturally move the authentication from the constructor to each method requiring authentication (though I don't currently have a need for this). I made this choice primarily to keep the controller tight, and to ensure that all resources in the controller are always covered. As for code longevity and maintainability: given the application structure, I can't foresee a situation in which one of the affected controllers would need a public method that didn't require user authentication, but I can see this as a potential drawback in general with this implementation (i.e., requiring future refactoring). Is this a good idea?

    Read the article

  • Had anybody earned $0.25+ from each of a captcha (on your website) passing?

    - by vgv8
    I am a real dummy in web monetizing schemes. [ 1 ] informs: "Solve [Media] charges a fee of about 25 cents to 50 cents for each form that is filled out using a Type-In ad [captcha]... the company splits its fees 50-50 with the websites where the ads are placed" Honestly, I cannot imagine that someone (in its proper senses) pasy that much money for just one captcha passed. And how to understand these claims? http://www.solvemedia.com/images/ie9_aboutcalcount.png shows: Why would Microsot pay 0.25-0.5 USD for each entered string "Be part of the Beta"? Has any of webmasters (sysadmins) got those from deployed SolveMedia captchas on their websites? Is it scam? Because if to check the sites mentioned in http://www.solvemedia.com/gallery.html, that is, for ex., http://www.toyotanation.com/forum/register.php?do=register, the latter do not have such captchas. What do I miss? Cited: [ 1 ] Jennifer Valentino-DeVries "An Online Ad That’s Tough to Ignore" WallStreet Journal Blog SEPTEMBER 20, 2010 http://blogs.wsj.com/digits/2010/09/20/an-online-ad-thats-tough-to-ignore/

    Read the article

< Previous Page | 81 82 83 84 85 86 87 88 89 90 91 92  | Next Page >