I'd like to be able to dynamically change my Drools authorization rules in Seam at runtime without having to redeploy my application. I've tried the method documented here: http://www.seamframework.org/Community/IsPossobleToModifyJBossRuleSecuritydrlFileWithoutFullRedeploy, which recommends using a rules agent to manage the rules file....
I have a classifieds website, where everybody may put ads of their products. For each classified, the user has to enter a password (so that they can delete the classified whenever they wish). So basically, when somebody wants to delete a classified, they click on the classified, click on the delete button, and enter the pass. I use My...
I've heard that MD5 is "broken" (in the context of password encryption). But I don't understand why! I've read the theory, but can't see it happening in practice... I have an MD5 hash 99e9446e78aac2056d3903e1adb8fbcd And a simple bit of code to produce it $salt="#bh35^&Res%"; $pass="***"; //number of characters is not equal to number ...
I am having a problem with code that worked fine in .NET 2.0 but is giving this error under .Net 4. Build (web): Inheritance security rules violated while overriding member: 'Controls.RelatedPosts.RenderControl(System.Web.UI.HtmlTextWriter)'. Security accessibility of the overriding method must match the security accessib...
I'm using an HttpWebRequest object to access a web service via an HTTP POST. Part of the requirement is that I: Verify that the URL in the certificate matches the URL I'm posting to Verify that the certificate is valid and trusted Verify that the certificate has not expired Does HttpWebRequest automatically handle that for me? I'd as...
Hi, After reading the topic "Is MD5 really that bad", I was thinking about a better solution for generating hashes. Are there better solutions like Adler, CRC32 or SHA1? Or are they even broken? ...
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability. What would a mal...
with a 64 bit long as key and codesign, it's unbreakable, right? ...
I'm building a simple WCF service, probably exposed via HTTPS, using NTLM security. Since not all users are going to be capable of using the service directly, we're writing a simple web front-end for the service. Users will auth with HTML to the web front-end. What we want is a way to delegate the user of the web site all the way to th...
Well, from the discussion of hashing methods weaknesses, I've got that the only ol' good brute-force is efficient to break. So, the question is: Is there a hashing algorithm which is more rigid against brute-force than others? In case of hashing passwords. ...
I asked a question yesterday about password safety... I am new at security... I am using a mysql db, and need to store users passwords there. I have been told in answers that hashing and THEN saving the HASHED value of the password is the correct way of doing this. So basically I want to verify with you guys this is correct now. It i...
You are on a submarine and there is an encrypted message that you want to read. Two people must use their keys at the same time in order to obtain the plain text. What is best cryptographic primitive to use? Are the following two implementations suitable? plain_text=decrypt(Key1 XOR key2,ciper_text,IV) plain_text=decrypt(Key1,decrypt...
Given an ASP.NET MVC Controller class declaration: public class ItemController : Controller { public ActionResult Index() { // ... } public ActionResult Details() { // ... } [Authorize(Roles="Admin, Editor")] public ActionResult Edit() { // ... } [Authorize(Roles="Admi...
I have client apps that talk to my silverlight application and its web services. So the client app is running on the client machine and making calls directly to the silverlight app running on the machine and also making web service calls. I want the usernames/password security to be handled by the 3rd party client app. Any idea how I ...
How to add security identity (certificate + private key) to iPhone keychain? I have .p12 file in application. I can get identity from it using SecPKCS12Import() but when i try to do the following: NSMutableDictionary *secIdentityParams = [[NSMutableDictionary alloc] init]; [secIdentityParams setObject:(id)kSecClassIdentity forKey:(i...
Hi All.. I have started a project based on Client server communication in java. What i'm doing is client and server have their own self signed certificates. In initial communication both client and server will exchange their certificates. Server has to verify clients certificate and should grant authentication. Where i struck was on what...
We have an application which uses an instance of Sql Server locally for its backend storage. The administrator windows login has had its sysadmin right revoked, and instead two sql logins have been created; one for the application with a secret password and one read only login we let users view the raw data with. This was working fine u...
How does one secure the Java environment when running on a machine you don't control? What is to stop someone from creating a java agent or native JVMTI agent and dumping bytecode or re-writing classes to bypass licensing and/or other security checks? Is there any way to detect if any agents are running from Java code? From JNI? From...
I want to create a WindowsIdentity for a given user. I don't need it for impersonation, just for group membership checks. I need it to work with and without a domain (none of that S4U Kerberos delegation stuff). The constructor for WindowsIdentity that takes a username only seems to work for domain scenarios. Is there any other way I ca...
Hi I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server. However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue). From what I have found so far the only way that the app would be able to access th...