My web app has a secure area which users log in to via a JSP. The JSP posts the user name and password to a servlet, which then checks to see if the users credentials are valid. If they are valid then the user is directed to the secure resource. How can I ensure that users can't just navigate to the secure resource without validating ...
Is hashing a password twice before storage any more or less secure than just hashing it once? What I'm talking about is doing this: $hashed_password = md5( md5( plaintext_password ) ); instead of just this: $hashed_password = md5( plaintext_password ); If it is less secure, can you provide a good explanation (or a link to one)? A...
This is silly, but I haven't found this information. If you have names of concepts and suitable references, just let me know. I'd like to understand how should I validate a given named id for a generic entity, like, say, an email login, just like Yahoo, Google and Microsoft do. I mean... If you do have an user named foo, trying to crea...
Is there any built-in utility or helper to parse HttpContext.Current.User.Identity.Name to get separately domain name if exists and user? Or is there any other class to do so? I udnerstand that it's very easy to call String.Split("\") but just intresting ...
I've recently used our company's spare laptop (that has a general user set up) while mine was being repaired. I've checked the "remember password" option in SQL Management studio when logging in to the database. I need to clear the login and password information that i have used to prevent the next person that will use the laptop from u...
Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages. Idealy the lib would be: Free Lightweight Easy to use Thanks in advance to the SO community who will happily reply :) ...
Is there a Rails plugin or a rubygem that gives you a starting point for adding an api to your Rails app? We want to use the API Key/Secret Key model, the API should also be versionable. Is there something out there that will give us some, if not all of this? ...
I have subversion repositories that are working fine with password authentication required for all users. My config is posted below. How do I go about modifying this configuration so that I can allow a single user to have read-only access to one of my repositories? The example provided needs to work with SVNParentPath not SVNPath. The ...
What's the best way to let third-party users work on your website? We have our site in SVN. Do we just give them SVN access, let them check in code, and then I push to dev - and then to production? ...
As a glutton for unproven sexy techniques I've adopted System.Web.Routing in my Web Forms application to manage navigation and such. Further, I'm hoping to move role-based security from web.config to the route definitions itself so I can say "this route is only available to roles x, y". So I've got the class that implements IRouteHandl...
I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information. What I'd like to do is this: after someone signs...
I am new to SQL Server, and I have been tasked with setting permissions on a remote server. What I need to do is limit the domain admin from having access to any of the DB's on a particular server. How can I accomplish this? ...
I am doing my best to design my web app with good separation between the layers. I am using the repository pattern and as such have a SQLObjectRepository which is called by my ObjectService which is called by my Web front end. In my object model, the user is associated with one or more regions which should filter the objects they shoul...
I'm implementing some rudimentary SQL Server monitoring to watch for excessive blocking. I have a stored procedure that looks like this: CREATE PROCEDURE [dbo].[bsp_GetBlockedProcessCount] AS BEGIN SET NOCOUNT ON; DECLARE @count INT SELECT @count = COUNT(*) FROM master.dbo.sysprocesses WITH (NOLOCK) WHERE blocked ...
I have an application that is using Windows Authentication and a SqlRoleProvider for user authentication and role management respectively. It is working fine with my test users that I have added to the database as defaults. The application requires users to login (using Windows credentials) and then be able to use this internal applica...
I just saw this question: Understanding .NET’s “SecurityAction” parameter for permissions And I have a question. With the following code: private void button1_Click(object sender, EventArgs e) { Layer1(); MessageBox.Show("OK"); } private void Layer1() { try { Layer2(); } catch (SecurityException) {...
Anyone have suggestions for security auditing of an .NET Web Application? I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks. EDIT: To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an in...
Hi, I want to store some information in the EPROCESS structure of the process in windows NT kernel. My aim is that when winlogon is called I want to assign a unique value to the next process based on which user logs in. But I do not know where to store this unique ID. I have tried and succeeded in modifying some information (like the t...
I have an IIS6 web server (on Win2003) is having a strange behavior which I guess is some undocumented "feature" ... It serves SVG files (extension .svg) without having it registered on the IIS metabase. It does not have the * mime type either. For this request: GET /basic/file1.svg HTTP/1.1 the response contains HTTP/1.1 200 OK Co...
Hi, We are having some issues getting SharePoint to work as we want it to. We have an enterprise MOSS configuration on our domain and have the entry http://intranet pointing to it on port 80. We also have another site collection and have pointed an internet domain name http:/nww.oursector.nhs.uk at it. We have done this to allow those...