CONTEXT I have just been reading about Zend ACL http://framework.zend.com/manual/en/zend.acl.html QUESTION I'm running three Zend applications on one server. My Front End App My Front End-Members App My Back End App (Site Owner's Admin) Within the applications I'm considering having two types of ACL. Application Wide ACL - ''ap...
Hi, I've been coding in C++, Matlab, and similar languages for scientific purposes for quite some time now, but I recently wanted to get into web programming. I've taught myself HTML and CSS and I've dabbled in Javascript, PHP, and mySQL. I would really like to start making more advanced, user-driven websites (if that makes sense - ult...
In the .net framework, I want to store some info inside of a component. Assuming that info isnt publicly exposed as a property, is it secure? Can someone see exactly HOW a component/control is configured? (with regards to the properties panel) Short of decompiling, is there any way this could be insecure? I know it isn't the most secur...
Hi guys ! I implemented a gSoap c++ webservice-server to be accessed by Flash (as3) Everything runs smooth as long as i test the .swf locally, the .wsdl is loaded fine, and the communication works, even with the server running on an external ip already. But the moment i put that .swf online - its coming up with sandbox security violat...
I'm wondering if there are any demo sites which show different cases where HTTPS is misconfigured or broken. Or does anyone know of websites in the wild that display various broken / misconfigured HTTPS cases? ... Perhaps ideas on how to track them down with a search engine? I'm looking for sites which exhibit broken https behaviors, for...
I understand better some concepts when I write toy programs for isolated aspects of the problem at hand. For instance, for encryption you can write a program to encrypt and then decrypt a string.. and see that you get the initial string. What toy programs do you suggest that I write to understand certificates? (server/client interaction...
We use LINQ to Entities to write entries into an Audit database (SQL Server 2008). Since this is a dedicated Audit database, we only insert rows - we never read any rows, update or delete them from the auditing application. The auditing application should use the principle of Least Privilege, so we don't wish to grant it more permission...
I am working on a project to prevent applications from being launched from removable devices. Does anyone out there know how i can do this? Preferrably in C++ on the Windows platform. My aim is to prevent execution of the exe file even if the user double clicks it or even if he tries to launch it from the command line. ...
Hi , I have defined dimension security in my OLAP cube by creating roles and assigning users to each roles. Each user in a role can only see the location they belong to. When I browse the cube using a role , I see correct location for that role. But, when I browse the cube using "Other User" feature in "Change User" and test it for the...
I've got an HTML-only website (with a bit of inconsequential javascript). The static pages are generated from a photo-blogging program that I created. There are hundreds of pages and thousands of pictures. I'm considering adding very basic security to the site (as a marginal impediment to someone who's casually attempting to access th...
I have different environments for my application (Dev -> Test -> Prod), and I'm using MSMQ. I also have the name of the queues (they are remote queues) I use via config files, in the following format: FormatName:Direct=SERVER_NAME\Private$\MY_QUEUE My problem is that SERVER_NAME is different in the different environments, and I'd lik...
I need to implement UserName authentication for my web service. Currently I am considering these two approaches SOAPHeader: http://www.codeproject.com/KB/cpp/authforwebservices.aspx UserNameToken: WSE 3.0: http://msdn.microsoft.com/en-us/library/aa480575.aspx Can anyone tell me pros-cons of these approaches? One of the major doubt ...
We recently attempted to add ip address validation to our website's login security. So in addition to having a cookie with valid credentials, we checked that your ip address on page request matched the one you initially signed in with. The idea was that if your cookie is stolen, a different user cannot impersonate you unless they actua...
I would like, when running a local program, for this program to be able to check in the current directory for a certificate and only if it finds this certificate to be valid, to give the user access to the rest of its functionalities. Does it sound far-fetched? Or is this similar to what AIR or iPhone applications do? What certificate ...
We don't have BES deployed to set the IT policy and turn on content protection on the device. So, it has to be done programatically. I can see that such permissions can be requested by using ApplicationPermissions and ApplicationPermissionsManager. But after such permissions are given by the user, how to actually change the setting. I k...
I want to make my application to run other people's code, aka plugins. However, what options do I have to make this secure so they don't write malicous code. How do I control what they can or can not do? I have stumbled around that JVM has a "built in sandbox" feature - what is it and is this the only way? Are there third-party Java lib...
I'm developing a Flex 3.4 app that interops with a Java EE backend running on a JBoss-4.2.2 server, through the most recent release of BlazeDS. When I ran the Flex app from Flash Builder 4 beta 2 on Tomcat, everything was fine, the Flex app was able to make the remote call needed. But my production environment is on JBoss, and when I mov...
Hi, there probably plenty of you here who have done secure payment forms in their life, so am i. My question is general what from your experience is "more right" way to process these forms. I'm not talking about SSL or server based security but about programming itself using pseudo code ... Thanks ...
I would like to find (mature) API alternatives to use TPM (Trusted Platform Module) funcionality on Linux (and maybe other *nix). I'm interested in trusted encrypt/decrypt functions for authentication (probably integrating with Kerberos). I found jTSS (for Java) and TrouSerS, but I would like to know about other alternatives, if any. "G...
Background: The grails application I am developing has a few levels of granular security. First the least granular is at the controller level. Either you can view a specific page or you cannot (I am using the Acegi spring security plugin). The second level of security is in the service layer via an AOP approach. You can either access a c...