Hi, If I provide Evidence to the .net framework on which code group my assembly belongs to, couldn't I provide false evidence stating that I belong in the Trusted Zone code group? I know what security policies are, permission sets but I don't understand how the framework checks the Evidence and then based on that evidence, determines t...
What is a secure way of storing an a username and password (not asp.net membership details) within a database table that needs to be pulled out and decrypted to use for passing to a webservice. Each way I think about the problem I find security holes as the username and password need to be in plain text before being passed to the webse...
I am trying to figure out what some legacy code is doing. What exactly is this line doing, and why would I need it this way? String lineSeparator = (String) java.security.AccessController.doPrivileged( new sun.security.action.GetPropertyAction("line.separator")); I found it in the logger implementation of the web/ejb applicatio...
With understanding of secure Internet connections limited to SSL, I'm doubtful about the security of GlassFish Admin console. Normal secure HTTP connections use http**s**://domain/ URLs but in GlassFish http://domain:4848/ is used to login to Admin console. Is there some kind of encryption going on between the browser and the server when...
I'm not a security expert by any means, but I favor creating REST-style web services. In creating a new service which needs to have the data it transmits secure. We've entered a debate over which approach is more secure - REST with HTTPS or a SOAP WS with WS-Security. I am under the impression we could use HTTPS for all the web serv...
I have a user who has access to one project on the team foundation server at my office. When they view source control, they only see the source for that single project (which is correct). The problem I have is that when they go to add a project to their team explorer, they get the entire project list from the server. Is there a way to...
After some research i haven't found any paper describing method to do this (no even an unreliable one). It seems that SSP (StackSmashing Protection)/Propolice ...
This is a question about salting phrases that need to be hashed. I was wondering if it more secure to prefix the salt to a phrase or postfix it? salt + phrase or phrase + salt My question comes from this comment on this post on MD5s. I am not sure I understand the reasoning behind the author's comment. ...
I created a nice long passphrase, used it a few times, then forgot it ;) The twist is, I know the general theme and probably almost all of the characters. The perfectionist in me doesn't want to revoke the key or anything like that (and I think I need the passphrase to revoke it anyway, right?). I feel I should be able to have a good go ...
How do I securely delete files in java? I tried the code at javafaq.nu, but the problem is you can't actually delete the file on windows once it has been mapped due to this bug. Then I tried just using sysinternals sdelete on windows, but you have to click a usage agreement the first time you use it which I want to avoid. ...
I wrote a small internal web app using (a subset of) pylons. As it turns out, I now need to allow a user to access it from the web. This is not an application that was written to be web facing, and it has a bunch of gaping security holes. What is the simplest way I can make sure this site is securely available to that user, but no one e...
I've just installed SQL Server 2008 Developer edition and I'm trying to connect using SQLCMD.exe, but I get the following error: H:\>sqlcmd.exe -S ".\SQL2008" Msg 18452, Level 14, State 1, Server DEVBOX\SQL2008, Line 1 Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. Has anyone seen...
Today I implemented a session/token authentication system for my web api (http get/post rpc style), following this plan: legend: action (param1, param2) : returnvalue1, returnvalue2 login (username, password) : sessionkey, token requestA (sessionkey, token, paramA) : token requestB (sessionkey, token, paramB) : token logout (sessionke...
I'm proposing the use of SAML 1.1 as technology to prove Web SSO in a customer environment, and they asked me something interesting: Which scenario Browser/POST profile is appropriate, and which scenarios Browser/Artifact profile of SAML is appropriate? In fact, SAML 1.1 Specifications don´t talk about the best neither most appropriate...
I am using this JQuery Ajax Voting system guide as a rough reference but I am a little troubled at the security of this. Right now this guide basically stores the ID of something and the vote statistics for it. I'd like to go off a similar idea but I need to include the userID as well so a user can only vote once. This is stored in a PH...
In PHP, I know that mysql_real_escape in much safer than using addslashes. However, I could not find an example of a situation where addslashes would let an SQL Injection happen. Can anyone give some examples? Thanks! ...
More specifically, is there any Java plugin frameworks have all of the below features: Support for multiple JAR files JARs can be signed and/or sealed Can perform a license check for each JAR prior to instantiation Can load multiple JARs using multiple threads ...
Hi all, may I know how can i retrieve user's permission rights from its userid and group name. Help urgently needed. Thanks in advance! ...
Is htmlspcialchars($user_data) in PHP or h(user_data) in Ruby on Rails good enough for defending all cases of XSS (Cross-site scripting) attacks? What about encoding used or any other possible considerations? ...
In the many Python applications I've created, I often create simple modules containing nothing but constants to be used as config files. Additionally, because the config file is actually a Python code file, I can add simple logic for changing variables depending on a debug level, etc. While this works great for internal applications, I...