In JEE security, if a user tries to access a secured resource, they are redirected to the login page. After successful login they are redirected to previously requested secure resource. Is it possible to redirect the user to a specific page, in my case application entry page? Something equivalent to Spring Security's default-target-url...
Is it possible to ensure that GET/POST requests to a particular url of my Appengine app, AJAX or not, can only be made from within the app and not from outside (ie) all requests from other domains have to be rejected. Possible? ...
I have working .NET 2.0 addin that takes an AppDomain created by an external application and applies user-defined security policy (PolicyLevel) by using AppDomain.SetAppDomainPolicy() method. However, this method is obsolete in .NET 4.0 and fails at runtime. Here is a sample code: AppDomain domain = ExternalApplication.GetAppDomain...
Before contract with software vendor expires, we need to secure existing applications they developed and be ready to anticipate problems without any help and support from the software vendor. besides the source code, what should I know/ask/get from software vendor? (Just in case you want to know why we decide to stop the contract, beca...
Hi, I'm building an Cocoa application that modifies a file on the user's operating system which requires admin permission. I have a proof of concept working which uses authopen but it doesn't deliver the UX experience I am hoping to achieve. Every time the file is modified it prompts the user to enter their password. Is there a way to h...
This might sound super crazy but I really want to know if this can be done. Assume a multi-user site that gives users some tools to build web apps from the site itself (using only HTML/CSS/JS) and share them. Now, if each of the apps were to be assigned a datastore, say just a table for convenience, is it possible to make secure query/i...
I have a legacy .NET 2.0 Windows Form application that contains a form that uses a component model BackgroundWorker component. The event handler for the DoWork event makes a call to WindowsIdentity.GetCurrent() to retrieve the identity of the user and then utilizes the Name of the identity. Recently, the call to WindowsIdentity.GetCurre...
Snoop allows you to look inside the application and change element properties. Its a great asset for developers, but can be a security issue in some cases, like when we have users who like to look in places where they shouldn't be looking. Is there a way to do something to block applications like Snoop from "snooping" your application? ...
For a password protected site, is there a way to allow users to log in to the site multiple times as long as it's on the same computer (even in different browsers)? One way I have thought to do it is always send MAC address on login, but that's not available in browsers. Is there some other way of doing this? ...
Hi, My team is trying to build an Android application for a tablet that will be dedicated for this sole purpose. One of the requirements is that the application is the only thing running on the device (at least from the user's point of view). The user should not be able to close it or use any other functionality from the OS (settings, ...
I'm attempting to make a XML-RPC call that requires HmacSHA-256 hashing of a particular string. I'm currently using the Jasypt library with the following code: StandardPBEStringEncryptor sha256 = new StandardPBEStringEncryptor(); sha256.setPassword(key); sha256.setAlgorithm("PBEWithHmacSHA2"); On trying to use sha...
I was talking with one of my programmers earlier and he showed me a piece of code he was considering: foreach($_REQUEST as $var=>$val) { $$var = addslashes($val); } He wanted to be able to use $varName instead of having to write $_REQUEST['varName'] I advised him to use the mysql_real_escape_string instead of addSlashes and to no...
I'm involving in kind of work that i think knowledge about large scale application, large scale web will help me much. What do you think i should take? I mean books to read, courses to take... etc... Thanks in advance for any suggestion. PS: maybe applications i mean are not large enough :D, kind of social network for >100k users or rea...
CODE_DESC: "This web-accessible script will list security recommendations after scanning available PHP configuration variables and functions for common exploit vectors." SOURCE_CODE: http://php-security-audit.com/scripts/view/php_security.php Will this PHP harm/modifiy/etc my system if run? ...
the following small line throws a System.Security.SecurityException: Requested registry access is not allowed: RegistryKey _key = HKLM.OpenSubKey("path\\to\\my settings", false); Now.. what's the point some would ask? The point is that this runs ONLY when I am logged on. The exception is thrown if the program runs as scheduled task an...
Hi! I have a WCF service that needs to handle the following : 1 Service Regular TCP Endpoint Secured customUsernamePassword Endpoint Secured Windows Endpoint The system.serviceModel section looks like this : <system.serviceModel> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> <behaviors> <s...
Is it possible to increase number of login attempts before blocking an account for a certain user or role in Drupal? (not for all users) Or even never block a certain user regardless of number of login failures? Thanks. ...
We are testing using security realms with our web application. In test we will be going against Microsoft Active Directory. Production will go against a custom realm. I have the working great in Tomcat, but can't seem to get this working in WebSphere. I have created a Security Domain (foo-ldap) within WebSphere that can connect to th...
Hi, I was wondering which of these networks would you feel most comfortable logging into e.g. your bank account and why 3g mobile phone connection University campus LAN university campus wifi, wpa University campus wifi no encryption. Proxy login does the choice matter if the site uses ssl? Won't that encrypt the login info anyway? ...
I would like to create a web site with many images. But I would like to protect against direct access to images, e.g. direct links to images without visiting the web site. What is the preferred way to do this? And what are the alternatives with Pros and cons? I have some ideas (I don't know if they are possible): File permissions PH...