I realize you can't get the target entity in the Attribute itself, but what about in an associated Permission object when using a CodeAccessSecurityAttribute? The Permission object gets called at runtime so it seems there should be a way but I'm at a loss. public sealed class MySecurityAttribute : CodeAccessSecurityAttribute { public ...
I'm using ASP.NET Membership and noticed there isn't a method in the Roles class to modify a role (its name for instance), only to create and delete them. Is it possible or it's not supported? EDIT: @CheGueVerra: Yes, nice workaround. Do you know (for extra credit :) ) why it's not possible? ...
I'm working on deploying a small community site. User registration requires nothing more than a username, email address, and password. I'm not even asking for a name, and certainly not storing any sensitive data. Should I still invest in an SSL certificate? Would it be considered terrible practice to transmit a user's password without o...
i give users special URL with access key in it. users accessing the public page via this special url should be able to see some additional data as compared to simple anonymous user. i want to give some additional role to anonymous user based on parameters provided in request so i can do something like this in my template: <@sec.author...
During the course of our application login there are several queries ran, all around validating the login. In evaluating them I noticed that one of the queries is run without the NOLOCK hint. There does not seem to be any particular danger of dirty read because the data would hardly ever change. Thinking about it from an attempted DOS...
We currently have a custom authorization service built on .Net technologies. We are working with our Busienss Intelligence team to try and find a way to integrate these authorization services with our arcPlan Enterprise reports so that we can have a consistent mechanism for implementing authorization. I have very little understanding a...
So here's my current code: List<string> rowGroups = GetFileGroups((int)row.Cells["document_security_type"].Value); bool found = false; System.Security.Principal.WindowsPrincipal p = new System.Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent()); foreach (string group in rowGroups) { if (p.IsInR...
Hi, Trying to access my WCF on a server from my client console application for testing. I am getting the error: The caller was not authenticated by the service I am using wsHttpBinding. I'm not sure what kind of authenicating it is expecting? <be...
In a project I'm starting I would like to give privileges to users based on certain conditions, eg (in a certain table): can READ all rows cannot WRITE to rows with id < x, but can WRITE to row >= x etc... I would like to avoid views as these conditions might change for each user (I understand I would have to create a view for each c...
The Win32 API call RegisterTypeLib() is used to create the registry keys necessary to register a type library. Unfortunatly, on Windows XP, it tries to write those registry key entries to HKEY_CLASSES_ROOT\TypeLib rather than HKEY_CURRENT_USER\Software\Classes\TypeLib Meaning that a standard user will not be able to run an Activ...
Hi, I like the idea of CardSpace but unlike OpenID it seems like a real PITA to support it in your ASP.NET web application. I've found many examples, even a tutorial in one of the books I own... but it would seem a lot more is required than what they suggest. Changes to the server and such? Can someone tell me: What I need to confi...
I've inherited a web app that I've just discovered stores over 300,000 usernames/passwords in plain text in a SQL Server database. I realize that this is a Very Bad Thing™. Knowing that I'll have to update the login and password update processes to encrypt/decrypt, and with the smallest impact on the rest of the system, what would you ...
If a hacker has access to the hashes in my DB, he has access to the rest of the information in the DB anyways. So why would he bother trying to decrypt the passwords? Should I be storing the passwords on a different server to the rest of my data? That is the only scenario in which I can envision it being useful. ...
I am attempting to log user activity for a couple internal websites as well as our SharePoint sites. I use JavaScript to make a call (GET) to an ashx page (HTTPHandler) that returns a 1x1 invisible GIF. The HTTPHandler grabs the referring URL, browser info, ip address, the action (sent as a QueryString), and (the part I'm strugging with)...
When do you call Microsoft.Security.Application.AntiXss.HtmlEncode? Do you do it when the user submits the information or do you do when you're displaying the information? How about for basic stuff like First Name, Last Name, City, State, Zip? ...
I've got some code that basically does: GetNamedSecurityInfoW (<some file>,dacl only) build a new ACL with the info from #1 and an additional ACE to allow local Administrators full control SetNamedSecurityInfoW (<the same file>,the new dacl) The dacl from #1 contains 4 ACEs: grant: mask(0x001F01FF), flags(0x00000010): S-1-5-18 (NT A...
I'm advising a friend who manages a SQL 2k5 box that has several users who have dbo access to multiple databases. The problem is: These users haven't had their passwords changed for some months, These users put their IDs into applications and the applications run as DBO. So - aside from the obvious dbo rights to add/update/delete tab...
Hi, If you use a GUID as a password for a publicly facing application as a means to gain access to a service, is this security through obscurity? I think the obvious answer is yes, but the level of security seems very high to me since the chances of guessing a GUID is very very low correct? Update The GUID will be stored in a device,...
I've decided to attempt using the double submitted cookies technique to attempt to prevent XSRF attacks on the site I'm working on. So the way I have it written down here is, all actions that actually DO something other than GET information, will be posts. Gets will be...uh...GETs. Secondly, every form that posts will have the key/coo...
I have only recently started working with the MVC approach, so I suppose this is an easy one for you gurus here: Where do I put access control? In a view? I don't want to have any logic besides switches and flags in my templates, so that sounds like the least viable option In the model? Should each business object decide what data it ...