I have a Java web application designed to be deployed on the internet. It needs a database connection. Depending upon hosting environments it may not be possible for the deployers of the web application to configure appropriate data sources so the application needs to store it's database connection information somewhere to be reloaded if...
Hi I am implementing security on Contact base smart card which follows scosta template.In card structure ef is directly under DF and DF is directly under MF. According to the template i am implementing security on elementary file(both sac and sae attributes are specified at time of creation in fcp) according to security condition read an...
I am using asp.net and my users need to upload private pictures to my server. This pictures cannot in anyway get spread so I need to protect them in some way. What is the easiest way to protect them from public use so only the authorized user can reach them? Thanks! ...
I'm writing a simple proof-of-concept webservice client using the JBoss-WS library. I need to send messages to a remote service that requires a <Security> header with a <UsernameToken> element. I would like to add this header in the most JAX-WS-kosher way, without having to manually add XML elements by hand, without having to read in a ...
We're writing a feature that will allow our users to "attach" things like Word documents, Excel spreadsheets, pictures, pdfs to documents in our application - just like email. We don't however, want to allow them to attach .exe, .bat, .reg files, or anything else that might harm them if they opened it - so we're proposing to have a whit...
Is filter_var any good for filtering data? What kind of bad data will it filter? I do use mysql_real_escape_string but I wonder if adding filter_var will help? ...
I'm trying to develop a file uploading module on our new site that allows you to upload any file to our servers. The uploaded file is uploaded to /files, in which the following .htaccess to prevent users from executing i.e a .php file: <Files *.*> ForceType applicaton/octet-stream </Files> This triggers the browsers download window (a...
Listening to Scott Hanselman's interview with the Stack Overflow team (part 1 and 2), he was adamant that the SQL server and application server should be on separate machines. Is this just to make sure that if one server is compromised, both systems aren't accessible? Do the security concerns outweigh the complexity of two servers (ext...
We have a scenario in which we like to detect when the user has left our site and immediately expire their .Net session. We're using Forms Authentication. We're not talking about a session timeout, which we already have. We would like to know when a user has browsed away from our site, either via a link, by typing in an address or follow...
We have a service using WCF and Impersonation. A user can log in to the client application with credentials that are part of an Active Directory system. The users login is impersonated service side. This works fine when the user who logged in is setup as a Local Admin on their host machine. But a problem occurs when they are a non-...
If I am evaluating a Python string using eval(), and have a class like: class Foo(object): a = 3 def bar(self, x): return x + a What are the security risks if I do not trust the string? In particular: Is eval(string, {"f": Foo()}, {}) unsafe? That is, can you reach os or sys or something unsafe from a Foo instance? Is eval(s...
In my application I am allowing users to upload their css style sheets so they can applied to templates. The css is written as an internal style sheet, because at this time I would not like to expose the css style sheet to other users. That creates room for users to include malicious code into the css file. Initially my plan was to conv...
Hi, Im working with asp.net 2.0, and i have a folder into my application path ~/Data/ with some .mdb files. I would like to protect this folder from external request like http://www.whatever.com/Data/whatever.mdb But i would need to give any permission to my application, cause im using OleDBConnections agains the ~/Data/ Path. What ...
I have code running in an ascx within PageLayout within SharePoint 2007 that accesses files on a remote server i.e. File.Create("\servername\sharename\folder\file.txt"). The code runs within a SharePoint web application that has CAS trust set to Full in the web.config. The File.Create throws the following exception:- System.Unauthoriz...
Hello, I'm trying to determine the most secure method for an ajax based login form to authenticate and set a client side cookie. I've seen things about XSS attacks such as this: http://stackoverflow.com/questions/27972/are-httponly-cookies-a-viable-option-for-an-ajax-website and http://www.codinghorror.com/blog/archives/001167.html ...
Can a single WCF Service endpoint be set up to authenticate against multiple Authentication stores? i.e. if UserName and Password supplied check Custom DB, otherwise try Windows Auth. Background: I have WCF Service A which is injected with a client proxy to WCF Service B. Service B could have a dependency on Service C etc. A User requ...
My company is building a medical application. We would like to utilize Silverlight 2.0/3.0. Because of HIPAA laws, security is at the top of the list and can't make mistakes here. What makes or doesn't make a WCF call secure in the context of using Silverlight? ...
I need to build a simple webservice to get data in and out of a HR System over the Internet (it's a hosted solution). I am using IIS and ASP.Net with .Net 2.0. Having looked into it, there are several ways of making the webservice secure - I am after some advice on which method to choose, with some views on pros and cons. These are th...
I can't believe I'm the only person to run up against this problem. I've been googling for hours and have not had any luck. The Java security documentation doesn't seem to address PKCS12 certificates thoroughly. I am trying to setup Java for user specific PKCS12 certificates. Among other things, this will be used so that, in Eclipse, ...
I'm working on an application in ASP.NET, and was wondering specifically how I could implement a Password Reset function if I wanted to roll my own. Specifically, I have the following questions: What is a good way of generating a Unique ID that is hard to crack? Should there be a timer attached to it? If so, how long should it be? ...