What's the best way to authenticate and track user authentication state from page to page? Some say session state, some say cookies? Could I just use a session variable that has the ID of the user and upon authentication, instatiate a custom User class that has the User's information. Then, on every page, verify the session variable is...
the ws-discovery specifications explains how to protect your network from message alteration Denial of service replay spoofing but what about man-in-the-middle attack? ...
With Symfony's Action Security if a user has not been identified he will be forwarded to the default login action as defined in the applications settings.yml file. How would I forward the user to the originally requested action after the user is successfully authenticated? ...
Under many operating systems Unix-domain sockets allow a process to reliably pass its credentials to another process in a way that can't be maliciously subverted. For instance, this is done on Linux through the SO_PASSCRED and SO_PEERCRED options, on FreeBSD by passing messages that include the cmsgcred structure, and on NetBSD by setti...
I have an existing bare git repository located in /home/myaccount/git/project. I am currently using it over ssh from my local machine without any problems. I want to add a second user on the server which only shall access to this git repository (maybe move the repo outside my account folder?). How? Using latest version of git and ubuntu ...
My company has been evaluating Spring MVC to determine if we should use it in one of our next projects. So far I love what I've seen, and right now I'm taking a look at the Spring Security module to determine if it's something we can/should use. Our security requirements are pretty basic; a user just needs to be able to provide a usern...
There are some rumors floating around that the team at my company will soon be using web services for all future application development. The architecture is supposed to be something like this: Application --> Web Service --> Database The stated reasoning behind it is security. This sounds like a huge waste of time for little if any ...
Hi, If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?). Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user? I've never dealt with windows security...
Is it possible to mix all these access controls in one site? I have a requirement saying a) Users from the AD must be allowed access, using integrated security b) Users from some other AD must be allowed access; potentially by logging in c) Users not in the AD's should be able to create a new account on the site. Now, ofcourse, ...
I have a web application which i deploy in Tomcat. I want to secure all pages under the url path administration/*. I have set up container-managed security entering the next snippet in the web.xml file: <security-role> <role-name>administrator</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> ...
How do you make the authentication for a browser-based application dependent on the client machine? Say the admin can login only from this machine. Assumptions: There is complete control over the network and all machines (client and server) involved. I am looking for an apache/linux solution. ...
Recently the company I work for was asked to pitch for creation of a forum targetted at children as part of a website solution. I think that at least we should reccommend Human moderation by a trained individual to protect these kids Code alarm / suspicious analysis into the forum How has anyone else tackled this and what Ideas do o...
As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error. So looking for a hands-on approach to knowledge sharing of best practices in ...
I have been a .net developer for the past three yrs. Just curious to know about the network security field. What kind of work does the developers working in these area do? I really have not much idea about network security but what my understanding is these people are involved in securing network, preventing attacks on network as obviou...
I normally would create a limited rights user and run the process under that but the fact that pools automatically created under IIS7 in 2008 use this account makes me think that this is perfectly safe, and possibly more so than something I create? The whole Secure By Default push from Redmond would lead me to believe this is the case. ...
If I have 2 terminals A and B. T-A is connect T-B over secured socket connection. I need to write code to implement a connection between the 2 terminals. How do I do handshake such connection using Keystore and Truststore. Another word, where do I place keystore/truststore certificate file? (T-A or T-B) Any good advice or good example ...
Hi, If someone logs on to my application this user contains a dictionary with certain permissions. ex: module.view.workspace = true module.view.reporting = false ... Then we know to what parts of the application the user has access. What I want to know is how we can apply these permissions on the view. We are working in an AS...
I've got some MBean operations that I need to secure. I would like the users to be required to log in as the server admin and I would like this to be setup programmaticly or, preferably by a config file in the WAR, when the app is deployed. I want to avoid requiring the admin to set this up as a deployment step. We're running glassfish...
After reading the proper article in MSDN and related stackoverflow.com questions here, I finally return to the community. To which extent can a strong-named assembly be verified to avoid tampering? Is it possible to use strong-naming to verify an assembly author? The first question arises after reading this CSharp411 article, which ...
Hi, In a multi-server environment, users will be able to use a page to put, update or delete files on the servers. I was considering using a webservice (on each server) called by the IIS thread to do that work (with an aspx management page). However, for obvious reasons, I don't really want anyone to be able to call that webservice (by...