Hello. What is the best way to achieve application authorization and entitlement in .Net. Earlier AzMan use to be the standard way. With the advent of provider model, at least roles are taken care of but I am not sure about the authorization & entitlement. I am looking at the ability to define and access operation level permissions for r...
I have a simple web page with an embedded Java applet. The applet makes HTTP calls to different Axis Cameras who all share the same authentication (e.g. username, password). I am passing the user name and password to the Java code upon launch of the applet - no problem. When I run from within NetBeans with the applet viewer, I get full...
In this question a user replied that he was able to override the security settings on a shared host. I'm using the same host, but haven't been able to figure out how to change web.config to allow reflection. Is it a one-liner? I'm using MVC + Nhibernate in my project, but I can't even get an Mvc "new project" template site to work, I su...
As part of a project to create a tool to query all sorts of permissions relevant to users in our area at work, I need to query some information about our database servers. The servers run SQL Server 2005 (including instances of Analysis Services 2005). I need to be able to find for a given server: The list of logins on that server The...
Am I crazy, or is it a bad idea to keep my SMTP username and password for ActionMailer in the actual (development/production) config file? It seems like I should store it an encrypted place, or at the very minimum, exclude it from my Mercurial pushes. Right now, I'm just removing the password from my source file before performing a push...
I've created a J2EE application using a set of libraries. Works like a charm. Now it needs to be deployed into production. Our admin is very cautious about execution security and requires the permissions granted explicitly. Going through all the code and looking up security requirements (especially the custom libraries) is time consuming...
I have a Mothership domain, and if you log into it, a token is created in the database for your login with user Id, created datetime, expiry datetime and user agent. The expiry is set to an hour after the token was made (created when the user logins). To be able to login from Mothership to Scoutship, I append a query string like so <a ...
I want Captcha image verification. how i can create with asp.net form? ...
Hai, In the below code I am deleting a file from client pc Dim fs fs = Server.CreateObject("Scripting.FileSystemObject") 'If fs.FileExists(upfile.PostedFile.FileName) Then fs.DeleteFile(upfile.PostedFile.FileName) 'End If In the Web.config file, I have configured the trust level also. : <configuration> <system.web> <identit...
Hello, I'm using Spring Security 3.0.2 and I can't find a way to load roles of anonymous user from database (I've got dynamic roles where roles can be given to everyone). I've tried to use a custom anonymousAuthenticationProvider but this provider is never called. Here is my config: <http auto-config="false"> <logout invalidate-se...
Hi all, I'm considering to implement the classic 'remember-me' checkbox on my webapp to allow the authenticated user to be 'remembered' once he returns to visit my website. Gmail, Facebook and others have this kind of feature but I'm not too sure how secure it can be. A Java Framework like Spring Security uses an 'Hash-Based Token App...
Hi, I would just like your feedback on something. Basically I have a value called $uniqueID which is = ID + First Letter of First Name + First Letter of Last Name + The String "CAN" I have then turned $uniqueID into a salt value as followed $salt = sha1($uniqueID); I have then turned the user's password into a hash value using md5(...
I have a line of code that gets the following error when run through JSLint: Lint at line 604 character 48: Insecure '^'. numExp = parseInt(val[1].replace(/[^\-+\d]/g, ""), 10); This error seems to refer to the following description from JSLint's option page: "true if . and [^...] should not be allowed in RegExp literals. These form...
What applications are recommended for SQL Server auditing and, more specifically, fraud investigations? I need a tool that allows an end user to correlate data values to find fraud patterns. This tool must allow tuning as needed to reduce false positives. It's also important that it be fairly intuitive. Ideally, once in place it wo...
In C++ world there is a variety of ways to make an exploitable vulnerability: buffer overflow, unsafe sting handling, various arithmetic tricks, printf issues, strings not ending with '\0' and many more. Despite most of these problems were solved in java, there are some things to talk about. But is there any list of typical C#-specific c...
I have a Java server implementation (TFTP if it matters to you) and I'd like to ensure that it's not susceptible to path traversal attacks allowing access to files and locations that shouldn't be available. My best attempt at defending so far is to reject any entries that match File.isAbsolute() and then rely on File.getCanonicalPath(...
I've seen some posts regarding access to files on a client machine by a webpage, namely this question. I'm trying to hop on the "continuously update in the cloud" paradigm for some algorithms I am writing so my users can access the latest versions by simply accessing the webpage. This requires that the program/webpage can start with a ...
There are several useful answers on SO regarding prevention of brute forcing a password of a web service by applying throttling. I couldn't find any good numbers though and I have little expertise in this area, so the question is: How many attempts does it usually take to brute-force an average password of 6 or more characters (with no ...
Hi, I have a problem regarding to prevent download and saving of uploaded files. My users can upload multiple files types like doc, pdf, ppt,etc.... This all file types are easily download if any one have url. So what is the better way to prevent the download of the file. Or i convert the uploaded files to some specific format which...
What's the best method for securing connectionstring information in an app.config file for deployed winforms applications? reference ...