We have a web part that uploads a document to a document library. The user uploading the document may not have access to the destination location, so the code adding the file executes within a RunWithElevatedPrivileges block. This means the "Modified By" field is always set to System Account. Here is the code: SPSecurity.RunWithElevated...
I need simple but reliable mechanism to ensure that table was not tampered with in the SQL Server 2008. The assumption is that hacker can access and control only one of the servers (application or database) but cannot access both. Any links or suggestions will be greatly appreciated. Clarification. "Tampering" here means ability to upda...
What are mechanisms to protect the manifest url created to launch the ClickOnce application (online only). e.g. http://www.myworld.com/myapp/OnlineClkOns.application?param1=4579087786575 Option i have to generate this URL on the fly and also have a check within the application to ensure not more than one instance of the application is ru...
The idea of unified authentication behind a single API like PAM is very attractive to me. However, PAM seems to be more oriented toward shell authentication and offer a rather limited set of features from its API and require system-wide configuration from a file. I'm looking for something like this for a CGI (C language) web interface t...
I have some server side code that needs to check a username/password pair. I'm looking for something to do this that is nice and simple as in having a text file with username/MD5 hash pairs. I'd love the code use to look like this: if(!PasswordChecker.ValidLogin("passwords.dat", username, password) throw new Exception("Invalid usern...
Mistakes in memory management in C, C++, and their ilk are well known. I mostly program in dynamic, weakly typed languages. Are there issues which are particularly important in languages of this type? What language specific issues might I keep an eye out for? I'm generally mindful of standard security issues, and try to think about the ...
I've heard that Japan has a law that stipulates that all pages that contain forms with personal information must be SSL-encrypted. For example, under this law, a simple contact form with a "name" and "email address" fields would need to be encrypted. Is this true? Does anyone have a link to the details of this law (japanese language...
I am currently working on an application using WPF and MVVM. Now if i go to another user's machine and try to launch my app, i get an Exception due to missing ReflectionPermission at BindToMethodInfo(Object, RuntimeMethodHandle, RuntimeTypeHandle, DelegateBindingFlags) in mscorlib. Now my question is, what exactly requires the Reflectio...
We would like to run a wireless access point for public use. However, in case of misbehavior, we would like some personal information to be able to pass on to law enforcement. The proposed solution involves a captive portal where users enter their email addresses, and are then given ten minutes to check their email and verify, after whi...
We've noticed that it's possible to recreate a copy of an ASP.NET FormsAuthentication cookie on another machine, allowing the second machine to authenticate without needing to log in. One suggested solution to this has been to store the session ID within FormsAuthenticationTicket.UserData and to check that the two values match inside Ap...
Hi guys! I upgraded my Grails 1.0.4 application to 1.1. I also upgraded from acegi 0.4.1 to 0.5.1! I had some problems but i'm working on it and i think this is my last problem. When i start my grails application i get the following error message: loading security config ... ...
I have an ASP.NET (1.1) web service which authenticates clients using a SoapExtension.ProcessMessage(SoapMessage) override as described in: http://www.codeguru.com/columns/experts/article.php/c5479 However if the web.config if not set up such that HttpSoap is the only protocol allowed, then ProcessMessage will never get called for requ...
Hi all, I roamed the site for this question using the search engine, and I don't think it's out there. If it is, apologies in advance and feel free to point me to it. Here is my scenario: I am setting up a web application, Moodle if anyone is familiar with it, with Apache, MySQL, and php on Windows. Moodle supports enabling SSL for ...
I come from an ASP.NET background and find the entire roles based authorization scheme limiting to say the least. I've read about Microsoft's new Identity Model and the Geneva Framework with its Claims based architecture but it seems overly complex. In general, I'd like to know more about possible authorization architectures to find out...
I'm going a little nuts trying to understand the doc on impersonation and delegation and the question has come up what account my webservice is running under. I am logged as myDomainName\johna on my development workstation called JOHNXP. From Vstudio2005 I start my webservice via Debug and the wsdl page comes up in my browser. From T...
Dear Abby, I've been working on a PHP website which utilizes a MySQL database (using PDO). I would just like to know it is secure before I go ahead and release it to the public. It is a free, non-profit website so I don't really plan on making money from it and therefore I would rather not invest hundreds or thousands of dollars for a s...
Coming from ASP.NET into WindowsForms app development I was expecting to see the similar controls to work with. To my surprise, I didn't see any security controls (login, user management, etc.) Am I missing something, or I'd have to implement my own security for the application (role based security, user management, etc.)? The applica...
I am using Entity Framework in an application i am working on, however when i try to launch it from another user's machine, while trying to load the EDM i get an Exception stating that the request for the AspNetHostingPermission has failed. The assemblies are located on a network share. The assemblies are not signed and as far as i know...
this wireless camera says it has motion detection amoung its features. link text Can/How can I control such a camera from my .NET code? I want my code to be told when motion is detected so that the code can instruct the lights to be turned on ( that is the next question ). Or have the .net code tell the camera to look in another direct...
There's a SecureZeroMemory() function in WinAPI that is designed for erasing the memory used for storing passwords/encryption keys/similar stuff when the buffer is no longer needed. It differs from ZeroMemory() in that its call will not be optimized out by the compiler. Is it really so necessary to erase the memory used for storing sens...