Using Shiro we have a great security framework embedded in our enterprise application running on GF. You define users, roles, permissions and we can control at any fine-grain level if a user can access the application, a certain page or even click a specific button. Is there a recipe or pattern, that allows on top of that, to restrict a...
Is there any util or any other way to check what permissions a C# application needs to run without problems? I have a somewhat big application code that i'm not familiar with and i thought if there's a way to check it without going through all the code and logic it will save me a lot of time.. Thanks. ...
PayPal has a method where we can post our transaction to PayPal via a form. Isn't it possible for someone to construct our form and post to PayPal over and over again? I know no real harm can happen as they would have to enter their CC information on PayPal to continue, but they could cause a lot of trouble by posting hundreds of fake ...
Suppose you've got a webapp that's passing usernames and passwords around in hidden form fields. I know it's a very bad idea, but I'm interested in enumerating why... any thoughts? update - This is a hypothetical question. I couldn't find a resource that just enumerated the reasons - I know of plenty of reasons why it's a bad idea, I'...
We're building an application designed to run on Windows-based servers. One of the considerations we're looking into at the moment is how to control access to the application's GUI, which allows configuration and controls the "back end" services. In order to secure the application properly, there are several objects which will need ACLs...
I have tried searching, and all questions are related to specific things like "how to generate key", and the like. Can anybody explain how different types of software activation work? ...
I tried configure smtp mail with certificate on Django and I receive 'time out' error( code 110 ?). I use this settings: EMAIL_HOST='some.smtp.serwer' EMAIL_HOST_PASSWORD='' EMAIL_HOST_USER='' EMAIL_PORT=495 EMAIL_USE_TLS=True outlook configuration guide informs about certificate installation, maybe this issue is causing this error ?...
I have this HTML manual that gets installed with my application. This manual gets updated often (3-5 times a week) and I want to warn my users if the manual is out of date. The first thing I thought of was to create a hot-linked image to my webserver that I could use to check the version that they where using and server an 'update' im...
There are a plain password store in mod_ldap. Is there any way to encrypt the password? AuthLDAPBindPassword password Thank You. ...
I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database. Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don't know if that is necess...
We are working on a mission critical web application, we would like to expire the application's session out when a user presses the browser back button. Please help me with my problem. Thanks in advance. ...
Is there any "client side only" way to protect a SWF so it'd only be possible to load it from domain X? I'm aware of the server side options such as checking the referrer but unfortunately my server is a "static" CDN where this implementation isn't possible. I wonder why flash cross-domain security files do not seem to handle this sce...
I have a simple cakephp form WITH validation that submits to a database. It doesn't require a logged in user. No using the form normally via a browser and not filling in all required fields causes validation errors and the form is not submitted. However, I seem to be getting spammed by someone/something. They are filling the generic na...
How do i remember sessions, even after browser is closed. is there any alternative than extending expire time of cookies. i am using code igniter ...
I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution? .php?a[]=asd&a[]=asdasd&b[]=$a That was the example I was given. I have no idea how it works and was wondering if this is even possible? ...
Hello there, For my framework, i want to empty/disable REQUEST array for security reasons and users should only use proper arrays such as POST, GET or COOKIE. But i don't know how to do it. Even something like below doesn't seem to work, it empties even GET POST, etc. $temp_get = $_GET; $temp_post = $_POST; $temp_cookie = $_COOKIE; // ...
Hello There, I have made below function for the security of URLs. I just wanted to know is there anything i need to re-consider or change in below code. I have made this function after reading quite some articles on security from various sources. Here is the function: // filters possible malacious stuff from URLs private function filt...
350 Bounty and waffles to the person who can help me! I have been struggling with Spring Web Service encryption for days and I can't figure out how to get Spring's encryption on the message body to work. Whenever I have the server encrypt the resulting message the client doesn't seem to be decrypting it before it attempts to validate i...
Hi, Some hash functions are today not as safe as they were some years ago. Which hash function would currently be a good choice for hashing passwords? Thanks in advance. ...
Hi, I'm developing a server component that will serve requests for a embedded client, which is also under my control. Right now everything is beta and the security works like this: client sends username / password over https. server returns access token. client makes further requests over http with the access token in a custom header...