Search Results

Search found 22238 results on 890 pages for 'db security'.

Page 184/890 | < Previous Page | 180 181 182 183 184 185 186 187 188 189 190 191  | Next Page >

• Prevent Method call without Exception using @PreAuthorize Annotation

  - by Chepech

  Hi all. We are using Spring Security 3. We have a custom implementation of PermissionEvaluator that has this complex algorithm to grant or deny access at method level on the application. To do that we add a @PreAuthorize annotation to the method we want to protect (obviously). Everything is fine on that. However the behavior that we are looking for is that if a hasPermission call is denied, the protected method call only needs to be skipped, instead we are getting a 403 error each time that happens. Any ideas how to prevent that? You can find a different explanation of the problem here; AccessDeniedException handling during methodSecurityInterception

  Read the article

• How many tiers should my models have in a DB driven web app?

  - by Hanno Fietz

  In my experience, the "Model" in MVC is often not really a single layer. I would regularly have "backend" models and "frontend" models, where the backend ones would have properties that I want to hide from the UI code, and the frontend ones have derived or composite properties which are more meaningful in the context of the UI. Recently, I have started to introduce a third layer in between when database normalization created tables that did not really match the conceptual domain objects anymore. In those projects I have model classes that are equivalent with the DB structure, these become components of objects that represent the domain model, and finally these are filtered and amended for displaying information to the user. Are there patterns or guidelines for how, when and why to organize the data model across application layers?

  Read the article

• Are there cross-platform tools to write XSS attacks directly to the database?

  - by Joachim Sauer

  I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development). Is anyone aware of a similar tool? Preferably it should be: cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok) open source (I really like being able to audit my security tools) able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

  Read the article

• How to read an XML file with Java?

  - by Yatendra Goel

  I don't need to read complex XML files. I just want to read the following configuration file with a simplest XML reader <config> <db-host>localhost</db-host> <db-port>3306</db-port> <db-username>root</db-username> <db-password>root</db-password> <db-name>cash</db-name> </config> How to read the above XML file with a XML reader through Java?

  Read the article

• Use Tomcat with Java SecurityManager?

  - by pauline

  I'm writing a web application that is supposed to run on Tomcat on Ubuntu. On Ubuntu, Tomcat is per default configured to run with the Java SecurityManager. Besides my own web application, there will only be some well known third party web applications related to my own, like the BIRT report engine. If one of the web applications fails or gets compromised, it may take down all the others without harm, because they all belong together. What I don't wont to happen is that a compromised web app compromises the system itself, like calling rm -r / Do I need to use the java security manager to achieve this? Or is it only necessary to protect one web app from the other? I'd really like to prevent the effort to create .policy files for all the 3rd party web applications I intend to use.

  Read the article

• When do you trust the data / variables

  - by Wizzard

  We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security. But when do you stop, once it's converted into a local variable? eg if (isValidxxx($_GET['foo']) == false) { throw InvalidArgumentException('Please enter a valid foo!'); } $foo = $_GET['foo']; fooProcessor($foo); function fooProcessor($foo) { if (isValidxxx($foo) == false) { throw Invalid...... } //other stuff } To me thats over the top. But what if you load the value from the database... I hope I make sense :)

  Read the article

• What is the sense of permiting the user to use no passwords longer than xx chars?

  - by reox

  Its more like a usability question or maybe database, or even maybe security (consider injection attacks) but what is the sense of permiting the user's password to a be not longer than xx chars? It does not make any sense to me, because longer passwords are mostly considered better and even harder to crack, and some users use password safes, so the password length should not matter. I understand that passwords with more than 20 chars are hardly to remember, but if you use diceware or password safe you dont have any problem with that. I really cant understand why there are sites that say "your password need to be between 5 and 8 chars"... also should the password saved as hash, so the length of the field in the database is fixed, so where is the problem? i think that most of the sites where the password is has to be a fixed length are not even using any hashing method...

  Read the article

• Websphere exception handling

  - by Benjamin

  Hi all, From a security standpoint, what is the best solution to handle application errors with Websphere? I've been thinking of creating a class that is called every time an application error is generated, log the error and display a generic error message to the users. In PHP this can be achieved using the set_exception_handler() function. Is there something similar for websphere that could be configured in the web.xml? I've found codes like this on the internet: <error-page> <error-code>500</error-code> <location>/servlet/ExceptionHandlerServlet</location> </error-page> But that would only work with "500" HTTP error codes. I really want something generic that catches everything. Something like a class that implements a certain interface which can have access to all information about the error. Thanks for your time.

  Read the article

• How to make an Asp.net MVC 2 website have a Private Beta Mode.

  - by Mark Kitz

  I am creating an ASP.Net MVC website that I am launching soon in private beta. What I am using. ASP.NET MVC 2 ASP.NET Sql Membership Provider Authorization Attributes on ActionMethods. ex. [EditorsOnly] What I am trying to accomplish: During the private Beta period of my website, I want no anonymous users to access my site. Only Beta Testers of my site should be able to login and use my site as normal. After the private beta period people can access it using the security structure I already have set up. I am hoping I do not have to recompile but can have a setting in the webconfig to switch between Private Beta mode to Normal mode. Thanks for your suggestions.

  Read the article

• Is php fileinfo sufficient to prevent upload of malicious files?

  - by Scarface

  Hey guys, I have searched around a bit, and have not really found a professional type response to how to have secure fileupload capability so I wanted to get the opinion of some of the experts on this site. I am currently allowing upload of mp3s and images, and while I am pretty confident in preventing xss and injection attacks on my site, I am not really familiar with fileupload security. I basically just use php fileinfo and check an array of accepted filetypes against the filetype. For images, there is the getimagesize function and some additional checks. As far as storing them, I just have a folder within my directory, because I want the users to be able to use the files. If anyone could give me some tips I would really appreciate it.

  Read the article

• Detect IE setting: check for newer versions of stored pages "never"

  - by xx

  I understand there isn't a way to interrogate a users IE settings directly due to security reasons, but is there a way to derive this answer with some other mechanism? I would like to stop a user from using my site if the setting "Check for newer versions of stored pages" is set to "Never". Any suggestions? Is there a way I could test for this using javascript? An example of what I am trying to accomplish is this: While it is not possible to check IE settings to see if you are running a popup blocker, that is a way to "test" for a popup blocker via javascript. I am looking for something similiar but for the cache setting, not the popup blocker.

  Read the article

• How do you determine an acceptable response time for App Engine DB requests?

  - by qiq

  According to this discussion of Google App Engine on Hacker News, A DB (read) request takes over 100ms on the datastore. That's insane and unusable for about 90% of applications. How do you determine what is an acceptable response time for a DB read request? I have been using App Engine without noticing any issues with DB responsiveness. But, on the other hand, I'm not sure I would even know what to look for in that regard :)

  Read the article

• Secure database connection. DAL .net architecture best practice

  - by Andrew Florko

  We have several applications that are installed in several departments that interact with database via Intranet. Users tend to use weak passwords or store login/password written on a shits of paper where everybody can see them. I'm worried about login/password leakage & want to minimize consequences. Minimizing database-server attack surface by hiding database-server from Intranet access would be a great idea also. I'm thinking about intermediary data access service method-based security. It seems more flexible than table-based or connection-based database-server one. This approach also allows to hide database-server from public Intranet. What kind of .net technologies and best practices would you suggest? Thank in you in advance!

  Read the article

• session is lost after successful login?

  - by sword101

  greetings all um using spring security 3.0.2,all the application pages are secured to see them you must be authenticated um using https protocol i have a strange problem that after successful login and got to the requested page when try to open any link to other pages in the application the session is invalidated or lost or what happened i don't know and the user become anonymous,and redirected to the login page and i got this from debugging: No HttpSession currently exists No SecurityContext was available from the HttpSession: null. A new one will be created. after reviewing the coe many times,nothing in the code is invalidating the session,any ideas why something like this might happen?

  Read the article

• How can I get started with PHPUnit, where my class construct requires a preconfigured db connection?

  - by Ben Dauphinee

  I have a class that uses a lot of database internally, so I built the constructor with a $db handle that I am supposed to pass to it. I am just getting started with PHPUnit, and I am not sure how I should go ahead and pass the database handle through setup. public function setUp(/*do I pass a database handle through here, using a reference? aka &$db*/){ $this->_acl = new acl; } public function __construct(Zend_Db_Adapter_Abstract $db, $config = array()){

  Read the article

• Favoriting system on Appengine

  - by Mateusz Cieslak

  Hi, I have the following model structure class Authors(db.Model) : nickname = db.StringProperty(required=True) fullname = db.StringProperty(required=True) class Articles(db.Model) : title = db.StringProperty(required=True) body = db.StringProperty(required=True) author = db.ReferenceProperty(Authors, required=True) class Favorites(db.Model) : who = db.ReferenceProperty(Authors, required=True) what = db.ReferenceProperty(Articles, required=True) I'd like to display 10 last articles according to this pattern: article.title, article.body, article.author(nickname), info if this article has been already favorited by the signed in user. I have added a function which I use to get the authors of these articles using only one query (it is described here) But I don't know what to do with the favorites (I'd like to know which of the displayed articles have been favorited by me using less than 10 queries (I want to display 10 articles)). Is it possible?

  Read the article

• Sanitizing CSS in Rails

  - by Erik

  Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

  Read the article

• Accepting bank account information in a form

  - by jeffthink

  What security concerns are there when accepting a user's bank account information (account number and routing number) via a form on a page that is using SSL, and posting it back to the server where I then curl off a HTTPS request to send that information to an ACH service like First ACH or ACH Direct via their API? We wouldn't be saving the bank account information in our database. I know another option is to use Paypal's Mass Pay API, but they think it's unprofessional (at least for their business) to require customers to have a paypal account to get paid. Thoughts?

  Read the article

• php Form to Email sanitizing

  - by Jacob

  Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

  Read the article

• How do I tell which account is trying to access an ASP.NET web service?

  - by Andrew Lewis

  I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?

  Read the article

• Self-referential ReferenceProperty in Google App Engine

  - by Ink-Jet

  I'm having a bit of trouble with ReferencePropertys in App Engine (Python). For a bit of fun, I'm trying to model a folder/file system, but having trouble getting folders to reference folders. My first attempt was this: class Folder(db.Model): id = db.StringProperty() name = db.StringProperty() created = db.DateTimeProperty(auto_now_add=True) folder = db.ReferenceProperty(Folder, collection_name="folders") But that fails as "Folder" isn't defined when "folder" is trying to be defined. I've also tried defining "folder" outside of the main declaration for "Folder", like so: class Folder(db.Model): id = db.StringProperty() name = db.StringProperty() created = db.DateTimeProperty(auto_now_add=True) Folder.folder = db.ReferenceProperty(Folder, collection_name="folders") But that fails with: AttributeError: 'Folder' object has no attribute 'folders' I'm kind of stumped. Does anyone have experience with this, or a solution to this problem? Thanks in advance.

  Read the article

• Which DB should I use for my newbie program?

  - by knijo

  I'm really new to programming, and I need some advice. I'm currently working on a very simple program to maintain a list of users at a company, as well as their clock in and clock out info. I would like to make this application easy to distribute (on a cd probably), and I'm looking for advice on which database to use for storing my data. My application is implemented using java and swing. A friend recommended MySQL, but I don't want to go installing the db server on every computer the application is installed on. Another friend recommended Access. Any tips would be greatly appreciated

  Read the article

• Reliably detect caller domain over cURL request?

  - by Utkanos

  OK so server-side security is not my forte. Basically, I'm building a service which users may use (via an SDK) only on the domain they stipulated when they signed up. The SDK calls my web service over cURL in PHP. Would I be right in thinking I cannot reliably detect the caller domain, i.e. enforce that it is the same domain they stipulated when signing up? cURL of course sends this over headers, but headers can always (?) be faked. Is there a better course of action to enforce domain for this sort of thing? (NB I'm already using an API key, too - it's just I wanted to restrict domain, too) Thanks in advance

  Read the article

• Reason to use more cookies than just a session hash for authentication?

  - by dierre

  I usually hang out in a community using vBulletin as its bulletin board. I was looking at what this software saves as cookie in my browser. As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are: ngivbsessionhash: hash of the current session ngivbpassword: hash of the password ngivbuserid: user's id Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason. My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations. What do you think?

  Read the article

• Ruby: would using Fibers increase my DB insert throughput?

  - by Zombies

  Currently I am using Ruby 1.9.1 and the 'ruby-mysql' gem, which unlike the 'mysql' gem is written in ruby only. This is pretty slow actually, as it seems to insert at a rate of almost 1 per second (SLOOOOOWWWWWW). And I have a lot of inserts to make too, its pretty much what this script does ultamitely. I am using just 1 connection (since I am using just one thread). I am hoping to speed things up by creating a fiber that will create a new DB connection insert 1-3 records close the DB connection I would imagine launching 20-50 of these would greatly increase DB throughput. Am I correct to go along this route? I feel that this is the best option, as opposed to refactoring all of my DB code :(

  Read the article

< Previous Page | 180 181 182 183 184 185 186 187 188 189 190 191  | Next Page >