I have an ADO.NET Data Service that exposes an Entity Framework data model (.edmx). I need to allow / reject reads/writes to certain entities for certain users. I use Windows Authentication. All I could find is overriding the OnStartProcessingRequest : protected override void OnStartProcessingRequest(ProcessRequestArgs args) { base...
What is the best & most secure way you've handled sessions in a PHP application? I want to know the best, most robust and secure method there is. :) ...
How does one deploy an ASP.NET (MVC) application to a Windows Server securely? Visual Studio 2008 seems to only support FTP, which is not secure at all (plain text passwords) and http which I'm not really sure what it is. I've been told it is for FrontPage extensions and that I should use that, but that seems to really be a second class ...
I guess everything is possible but I am wondering how easy is it for someone to hijack a connection string with a network packet analyzer or equivalent tool. A winforms application fetches data directly from an MSSQL server. (Supposing there are no webservices in the middle for extra protection) 1) Is it possible for someone with an a...
I am attempting to access a queue and receiving an access denied error. The confusing part is the queue is setup to allow everyone at full control as well as anonymous and machinename$ (all three are full control - it's a test system so not a big deal). I am able to successfully write to the queue but can't Peek/Read/Receive from it. I f...
What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization? ...
Hello, My website is built using php files. I use trade secret algorithms in these files and my root password for my database is stored within these php files also. My database is used to store private medical data of many customers. Is this considered a secure set up; can anyone download the php source from my webserver, and therefore...
Does anyone know of mechanisms to automate the generation of security policy files for a Java application, especially that of J2EE/JEE applications? Are there tips that can be observed to generate accurate policy files without requiring an application to be rigorously tested with a near 100% coverage? ...
Ok, here is my situation: 1) I've build a free c# compact framework application 2) I've got a webservice where i retrieve my data (trapfic related) 3) Anyone can download and use the application. But the webservice that is being called should not be available to others. I've been looking into security and encryption, but haven't fig...
I want to use PBKDF2 with some cryptographic hash function to generate 128-bit AES keys. SHA1 is also 128-bit, so I thought of using that with PBKDF2, but it was broken, so I have opted to use SHA256 instead. Is this safe, or will the difference between the hash size and resulting key size cause some sort of disastrous silent truncation ...
For the longest time I was considering using a Javascript bookmarklet to generate the passwords for the different sites I visit to avoid the problem of "similar passwords everywhere", yet still be portable. However, after reading this paper it became clear to me that using this method would mean that a single malicious page could comprom...
When you have forms authentication setup to redirect to login.aspx when accessing a protected page, what's a good way to detect in login.aspx whether the user was sent there because they haven't logged on yet, or because their forms auth ticket is expired? I'd like to display a "you've timed out" message. (I do not mention the word sess...
So I know the best practice would be to run my Flex app over ssl along with implementing other forms of security however that isn't an option at this point (for monetary reasons and the app simply doesn't need that much security otherwise my sponsors would pay for it). However, I would like to implement some form of security and I'm won...
I've just read the following in the CLI specification regarding SecurityExceptions upon method calls: The security check can occur when the CIL is converted to native code rather than at runtime. How does Microsoft's implementation handle this? If, for example, only a certain usergroup is allowed to access some class, and i have pla...
Hi, I'm in early development stage of developing a web application. Im currently reviewing as to whether I should use ASP .NET Membership or write my own. Im more lenient towards to using ASP .NET Membership to save me some development time. Need help to clear up some ambiguities on how to best utilize membership database: Membership ...
We are developing a .NET plug in (class library) for an existing application within our enterprise. Its a desktop application which has preexisting support for plug ins. 1) Is there a mechanism to secure the plug in to ensure that it is only invoked by the existing desktop application? (We have no control over the desktop applications c...
I'm interested in knowing what are the best practices for using role based security in MVC: how to secure your actions and make them accessible by specific roles only? ...
I'm using ASP.NET MVC. I'm also using the MySQL connector and providers to connect to a MySQL database, which is using the ASP.NET Membership schema. I also have a second table called 'user' which contains all the additional user data, company_id etc. As I am going to need the (complete) User object for every page, what is the best wa...
I'm writing a pretty straight forward ASP.NET MVC web app: only a couple of CRUD pages, some folders where clients can browse documents and just 3 or 4 roles. The website will be used in a B2B scenario, where every client will have their "own" website. At this point, the only thing that will change in the website, from client to client ...
Hi all, I'm after some guidance on how to approach coding a problem, I don't want to jump straight into coding without think about it as I need it to be as generic and customisable as possible, The scenario is i have a web service that acts as a gateway to downstream services, with the aim of authenticating and authorising SOAP messag...