Hello! I am trying to integrate a Hibernate application into a proprietary framework. My problem is that this framework somehow checks the signature of packages. When I try to call my Hibernate application I get the following error: Caused by: java.lang.SecurityException: class "org.hibernate.dialect.Oracle10gDialect"'s signer infor...
Greetings - I would like to remove privileges from my process, and elevated permissions conferred through membership in the local Administrators group. Just like DropMyRights.exe, but I want to modify the token of the current process. ProcessPrivileges (on CodePlex) makes removing the privileges easy. Adding the deny flag for the Admi...
Why is JavaScript allowed to be disabled in the browser? (i.e. Why is it considered bad?) ...
Recently, I've become quite involved experimenting with lightweight grid frameworks (Hazelcast, Gigaspaces, Infinispan). However, I've been somewhat surprised than none of the free frameworks I tried has any ACL or role based security features built in (Gigaspaces does have some measures). What approaches are generally used to compensa...
I need to prove that the encryption settings we have in our app's connection string are working. Would would be the simplest way to validate that traffic from our web site to the sql server is in fact encrypted. ...
We have developed a great system using WSS 3.0 that contains about 450 lists in one site, in one site collection. These 450 lists are for 53 modules in which each module has some lists. We would like to make a security module for this system in which the administrator can make roles with access to some lists with certain permissions and...
This is a javascript security question: suppose a page finds out the screen resolution of the computer, such as 1024 x 768, and want to use an AJAX call to log this data into the DB. Is there a way to actually prevent fake data from being entered into the DB? I think whatever the HTML or Javascript does, the user can reverse engineer ...
Hi, the question's in the title really. I have an online form where, after a series of stages, the user is sent off to a payment gateway on another server, then back again after completing their details there (no card or personal info is sent, just encrypted tokens, that's the point). So can I rely on the session data still being avail...
Hi there, I'm testing the security of my application and by injecting some quotes in one of my parameters, the system returns the following error: Invalid token, expected closing quote ' on {busobj:Mvc.FormatDescription('{var:entity=Transactions.Allowance,idValue=069'"}')} I did not successfully find anything that could explain what ...
It seems everyone I meet is an expert on security! What defines a computer security expert? ...
I am trying to get IS_MEMBER working in a UDF in Sql Server 2005. I have a windows group "Domain\TestGroup". I allocate my Login "Domain\Kieran" to it. select SUSER_NAME(); gives "Domain\Kieran" but select IS_MEMBER('Domain\TestGroup'); returns NULL. ...
I have users for my application with access control list (these are both tables/schema/objects). Currently these are read from the database, Boolean values are used to indicate what they can view/manipulate. However, anyone can still go to the database and change the data. Can someone offer some suggestion on what kind of things I can do...
I'm using the ASP.NET membership provider for authentication of users in my web app. I want to do two things To enable the client to configure settings such as maxInvalidPasswordAttempts and passwordAttemptWindow without having to know about the web.config (e.g. through a UI) To have the ability to share these settings across several ...
I have this situation: I have a website and needs to use the users base from a users database (SQL Server, Oracle, etc) and from a NT user database (computer or domain) for security/authentication of the site. The scenario is this: A user logs into the site and enters his/her username and password. The site looks up to the users data...
I've been battling for two days tracking down a mysterious error when compiling an ASP.NET website. The error is the (quite famous) CS0016: "Unable to write to output file [filename] - directory is invalid". I have discovered after two days of debugging that the cause of my problem is that the NetworkService somehow does not have the ne...
I created a server program that will be started as root. After it is started I want to drop privileges to another user. How can I do this securely? ...
I have published my MVC project to an an IIS 6 server. Running under the application MVCapp. The web project gets the url: www.domain.com/MVCapp/. I use forms login for authentication and got an issue after publishing. The web.config is as follows: <authentication mode="Forms"> <forms name="CTWebCookie" loginUrl="~/Account/Login" def...
This is more a system design question/challenge, than a coding question. Basically, I'm thinking of throwing together a Bejeweled-esque game on Facebook using just HTML, CSS, and javascript. This is mostly out of a desire to learn all the little caveats of FBJS via a non-trivial project. So here's the deal. When developing for Facebo...
What exactly do certificates purchased from a CA do again (in the context of Java applets)? Lets say I have an applet on a website that accesses the users files (requiring a security certificate). If I make a self-signed certificate, the client will get a security warning asking if the client should trust this application. If I purcha...
Hi, Trying to request a timestamp (RFC 3161) by using BouncyCastle and connecting to http://timestamping.edelweb.fr/service/tsp. I do get a TimestampResponse back from the server but it seems to be without an actual date. This is the code: public static void main(String[] args) { String ocspUrl = "http://timestamping.edelweb.fr/se...