Search Results

Search found 14784 results on 592 pages for 'spring security'.

Page 200/592 | < Previous Page | 196 197 198 199 200 201 202 203 204 205 206 207  | Next Page >

• Disadvantages of hard coding credentials? What's the resolution?

  - by SeeBees

  I am building a Sharepoint web part that will be used by all users. The web part connects to a web service which needs credentials with higher privileges than common users. I hard coded credentials in the web part's code. query.Credentials = new System.Net.NetworkCredential("username", "password", "domain"); query is an instance of the web service class This may not be a good approach. In regard with security, source code of the web apart is available to people who are not allowed to see the credential. This is bad enough, But is there any other drawback of this approach? How to prevent hard coding credentials into the source code? Thanks

  Read the article

• Html encoding in MVC input

  - by fearofawhackplanet

  I'm working through NerdDinner and I'm a bit confused about the following section... First they've added a form for creating a new dinner, with a bunch of textboxes delcared like: <%= Html.TextArea("Description") %> They then show two ways of binding form input to the model: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() { Dinner dinner = new Dinner(); UpdateModel(dinner); ... } or: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create(Dinner dinner) { ... } Ok, great, that all looks really easy so far. Then a bit later on they say: It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

  Read the article

• How are CD Keys generated?

  - by The Rook

  CD Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as Security Though Obscurity, although I really have no idea how CD Keys are generated. What is a good (secure) example of CD Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators?

  Read the article

• Reason to use more cookies than just a session hash for authentication?

  - by dierre

  I usually hang out in a community using vBulletin as its bulletin board. I was looking at what this software saves as cookie in my browser. As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are: ngivbsessionhash: hash of the current session ngivbpassword: hash of the password ngivbuserid: user's id Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason. My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations. What do you think?

  Read the article

• Hibernate deletion issue

  - by muffytyrone

  I'm trying to write a Java app that imports a data file. The process is as follows Create Transaction Delete all rows from datatable Load data file into datatable Commit OR Rollback if any errors were encountered. The data loaded in step 3 is mostly the same as the data deleted in step3. The deletion is performed using the following DetachedCriteria criteria = DetachedCriteria.forClass(myObject.class); List<myObject> myObjects = hibernateTemplate.findByCriteria(criteria); hibernateTemplate.deleteAll(myObjects); When I then load the datafile, i get the following exception nested exception is org.hibernate.NonUniqueObjectException: a different object with the same identifier value was already associated with the session: The whole process needs to take place in transaction. And I don't really want to have to compare the import file / data table and then perform an insert/update/delete to get them into sync. Any help would be appreciated.

  Read the article

• The risk of granting to IUSR* NTFS permissions on a folder on the server

  - by vtortola

  I have two web applications that must share a file in the server file system. Both apps are inside of "Inetpub\wwwroot". The file cannot be accessed freely from outside, so it is in a folder out of "Inetpub". I have granted full NTFS permissions to the user "IUSR_whatever" (is the user that runs IIS in anonymous requests) in that folder. The folder has only that file, and has no other use. It works so far :) But, what is the risk? what should I be afraid of? As I see it, as long the folder is out of the "InetPub" cannot be accessed, and as long the apps don't have any security flaw like "path traversal" or server side code injection, it should be safe enough.... But I'm always keen to be wrong :) What do you think? May the file or even the server itself get compromised because of this? Thanks.

  Read the article

• Hibernate one to one with multiple columns

  - by Erdem Emekligil

  How can i bind two columns, using @OneToOne annotation? Lets say I've 2 tables A and B. Table A: id1 (primary key) id2 (pk) other columns Table B: id1 (pk) id2 (pk) other columns In class A i want to write something like this: @OneToOne(fetch = FetchType.EAGER, targetEntity = B.class) @JoinColumn(name = "id1 and id2", referencedColumnName = "id1 and id2") private B b; Is it possible to do this using annotations? Thanks.

  Read the article

• How to send exceptions to exceptionController?

  - by ivar

  <bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="mappedHandlers"> <set> <ref bean="exceptionController" /> </set> </property> <property name="defaultErrorView" value="tiles/content/error" /> </bean> I'm trying to send exceptions to a controller so I can create a redirect. If I comment out the mappedHandlers part then the error tile is displayed but it is only a tile. The rest of the tiles load normally. I need to make a redirect in the controller so I can show an error page not just an error tile. I can't find enough information or an example how the exception invokes some method in exceptionController.

  Read the article

• Why is hibernate returning a proxy object?

  - by predhme

  I have a service method that returns an object from the database. This method is called from numerous parts of the system. However, one particular method is getting a return type of ObjectClass_$$_javassist_somenumber as the type. Which is throwing things off. I call the service method exactly the same as everywhere else, so why would hibernate return the proxy as opposed to the natural object? I know there are ways to expose the "proxied" object, but I don't feel like I should have to do that. The query is simply hibernateTemplate.find("from User u where u.username = ?", username)

  Read the article

• does it make sense to send password information during email communication from websites

  - by Samuel

  Most of the online sites on registration do send a link to activate the site and on any further correspondence with the end user they provide information about the site and also provide the login credentials with password in clear text (as given below) Username - [email protected] Password - mysecretpassword What would you do in such a case? From a usability perspective does it make sense to send the password information in clear text or should you just avoid sending this information. I was under the impression that most of the passwords are MD5 hashed before storing in the database and hence the service provider will not have any access to clear text passwords, is this a security violation?

  Read the article

• URIs vs Hidden Forms

  - by NateDogg

  I'm working in the Codeigniter framework, and want to send requests to my controller/model that have several variables involved. Is there a difference between passing those variables via a hidden form (i.e. using "post") as opposed to passing them through URIs (e.g. 'travel/$month/$day/')? What about security concerns? e.g. URIs: http://www.example.com/travel/$month/$day/ Hidden Form: form_hidden('month',$month); form_hidden('day',$day);

  Read the article

• WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

  - by Tom

  I've been looking into some of the WYSIWYG editors (TinyMCE, FCKEditor, etc.) and they all seem to offer a lot of options. However, one vital feature that seems to lack is a simple "add custom html" option which would allow the user to input any of these embed-snippets you find all around the web these days, for example a youtube video. This is different than a "edit html/source" feature as that requires actual knowledge of html and there is the risk of the user writing invalid code. Another issue that I couldn't find much about is the output html. How would I make sure that this output causes no security invulnerabilities? Even when the user has the ability to add his own html? So, basically, is there an open source WYSIWYG editor which covers these 2 features?

  Read the article

• Sending passwords over the web

  - by Falmarri

  So I'm working on a mobile platform application that I'd like to have users authenticate over the web. I was wondering the best way to do security. The user is sending a password for HTTP to a php server wich authenticates against a mysql database on the same server. Obviously I don't want to send the password in plain text over the internet, but I also don't want to do 2 SHA hashes. This is what the server looks like (in pseudocode) $pass = $_POST['pass']; if ((get PASSWORD where USERNAME = USERNAME) == SHA($pass)) return PASS; This is pretty standard and I don't think there's any other way to do this. But I was wondering how I should prepare the data before sending it over the internet.

  Read the article

• I'm trying to implement 2 factor authentication on the cheap. How would I do that?

  - by Biff MaGriff

  Ok so I need 2 of the 3. Something the user knows. Something the user has. Something the user is. I have a system that is exposed to the internet and we need clients to connect in a secure manner to satisfy our security standards. I'm thinking when a user registers to use our system we send them an application that they install on their home system. The application generates a key based on a timed randomness algorithm. Our application server has the same algorithm so when the user submits their credentials with the key we know that they are a legitimate user. Is this a valid method of 2 factor authentication? What is another way of doing this? Are there any pitfalls that I should be aware of? Thanks for your help!

  Read the article

• MD5 password twice

  - by NoviceCoding

  I know MD5's safety is under question lately and this is the reason a lot of people are using salt (I dont understand this at all btw) but I was wondering if you wanted to easily implement a safe system in php can you just md5 something twice? like test 098f6bcd4621d373cade4e832627b4f6 fb469d7ef430b0baf0cab6c436e70375 So basically: $val = 'test'; $val = md5($val); $val = md5($val); Would that solve the whole rainbow security stuff? Is there an easy/noob proof way of making secure database passwords in php?

  Read the article

• Web Application - Authentication / Login Framework

  - by user456563

  This is a very simple, probably a most asked question and frequently developed as part of any web application. Say I'm planning to build a web application and some of the functional requirements include (apart from the usual hard hitting security reqs), - Need to have users sign up for a new account profile - Authenticate user using the native app authentication / Facebook or Google or Yahoo or OpenId login - Allow lost password retrieval - Session handling needs Is there an out of the box frameworks (Drupal, Liferay??) that I can use to wrap my application which can be a bunch of JSP's or HTML's with JS? I know I'm asking a very simple and maybe a naive question. But this is a topic every web developer guru will go thru. Any help, advise and pointers much appreciated.

  Read the article

• java.lang.ClassNotFoundException error using enum as a key in Map

  - by LCYSoft

  <util:map id="myMap" key-type="com.myClass.Foo.myEnum" value-type="com.myClass.Foo"> <entry> <key> <value type="com.myClass.Foo.myEnum">ONE</value> </key> <ref bean="myObj"/> </entry> </util:map> package com.myClass public class Foo { public enum myEnum {ONE, TWO;} } I am trying to create a map from Spriong 2.5. Map<myEnum, Foo> myMap; I am getting nested exception is java.lang.ClassNotFoundException:com.myClass.Foo.myEnum I definitely have com.myClass.Foo.myEnumin com.myClass.Foo I don't know why I am getting java.lang.ClassNotFoundException Thanks in advance

  Read the article

• hibernate - uniqueResult silently fails

  - by robinmag

  I have a login controller that use the hibernate uniqueResult method. Everything works fine when i test it in eclipse's tomcat server. But when i deploy my webapps to tomcat server (on the same machine) it fails: it always returns null even i use the correct credential. Here is my hibernate code: session.createCriteria(User.class) .add(Restrictions.eq(User.USERNAME_FIELD, userName)) .add(Restrictions.eq(User.PASSWORD_FIELD, password)).uniqueResult(); Thank you!

  Read the article

• Generate doc from @RequestMapping

  - by Kristian

  Does anyone know of any tool (like javadoc) to generate documentation from my @RequestMapping? I.e. to get a list of URLs with parameters and response data. It would be great if it would come as a maven plugin.

  Read the article

• Sql server execute permission; failure to apply permissions

  - by WestDiscGolf

  I've just migrated from SQL2000 to SQL2008 and I have started getting an execute permission issue on a stored proc which uses sp_OACreate. The rest of the system works fine with the db login which has been setup and added to the database. I've tried: USE master GO GRANT EXEC ON sp_OACreate TO [dbuser] GO But this fails with the following error: Msg 15151, Level 16, State 1, Line 1 Cannot find the user 'dbuser', because it does not exist or you do not have permission. I'm logged into the server as sa with full permissions. I can execute a similar sql statement and apply the permissions to a server role, however not a login/user. How do I apply the changes to the specific user/login? I can apply the permissions to the public role and it resolves my issue; however this seems to be a security issue to me which I don't really want to apply to the live server.

  Read the article

• How can I qualify an autowired property with a variable from a config file using annotations?

  - by jiggy

  My specific problem is that I have configured two beans that implement the same interface and I have a third bean that has a property of that interface's type. I inject the property using a config property. So, assuming RemoteDataSource and LocalDataSource implement IDataSource and dao1 has a property of type IDataSource, my XML config might look like this: <bean id="datasource1" class="com.foo.RemoteDataSource"> <property name="url">${url}</property> </bean> <bean id="datasource2" class="com.foo.LocalDataSource"> <property name="path">${filepath}</property> </bean> <bean id="dao1" class="com.foo.MyDAO"> <property name="dataSource">${datasource}</property> </bean> With url, filepath and datasource being defined in an included properties file. We are now making a push for annotation-driven configuration and I'm not sure how to annotate my dao to put the data source configured in the property file. I want to do something like this, but it is evidently not allowed: @Autowired @Qualifier("${datasource}") public void setDataSource(IDataSource datasource) {...}

  Read the article

• Authenticate User manually

  - by Sergey

  I am trying to authenticate the user after I got credentials using oAuth (with Twitter if that makes a difference). As far as I could understand it, I can directly put the Authentication object into SecurityContextHolder. Here is how I do it: Authentication auth = new TwitterOAuthAuthentication(member, userDetailsService.loadUserByUsername(member.getUsername()).getAuthorities()); SecurityContextHolder.getContext().setAuthentication(auth); This for some reason does absolutely nothing. What am I missing and what should I do to accomplish what need?

  Read the article

• Black Magic in Grails Data Binding!?

  - by Tiago Alves

  As described in http://n4.nabble.com/Grails-Data-Binding-for-One-To-Many-Relationships-with-REST-tp1754571p1754571.html i'm trying to automatically bind my REST data. I understand now that for one-to-many associations the map that is required for the data binding must have a list of ids of the many side such as: [propName: propValue, manyAssoc: [1, 2]] However, I'm getting this exception Executing action [save] of controller [com.example.DomainName] caused exception: org.springframework.orm.hibernate3.HibernateSystemException: IllegalArgumentException occurred calling getter of com.example.DomainName.id; nested exception is org.hibernate.PropertyAccessException: IllegalArgumentException occurred calling getter of com.example.DomainName.id However, even weirder is the update action that is generated for the controller. There we have the databinding like this: domainObjectInstance.properties = params['domainObject'] But, and this is the really weird thing, params['domainObject'] is null! It is null because all the domainObject fields are passed directly in the params map itself. If I change the above line to domainObjectInstance.properties = null the domainObject is still updated! Why is this happening and more important, how can I bind my incoming XML automatically if it comes in this format (the problem is the one-to-many associations): <product> <name>Table</name> <brand id="1" /> <categories> <category id="1" /> <category id="2" /> </categories> </product>

  Read the article

• Established javascript solution for secure registration & authentication without SSL

  - by Tomas

  Is there any solution for secure user registration and authentication without SSL? With "secure" I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security). The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess). I prefer established and well tested solution. If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols. Thanks in advance.

  Read the article

• How do I reload a Roo project without clearing the database?

  - by Omniwombat

  I've been learning how to build projects using Roo and am making good progress. I have the nucleus of a project which correctly displays my defined entities and allows me to create, edit, and delete the representative objects. I am using mysql at the database and I see that objects entered using the UI correctly appear in the mysql database. Per the Roo instructions, I am starting the webapp using "mvn tomcat:run". Unfortunately, I've discovered that whenever I restart Tomcat using Maven, it clears all of the existing objects out of the database. I'm left with empty tables. It seems to do this as the final step just prior to Tomcat stating that the server has started. I know this is just me being a n00b, but searches haven't been very helpful, none of the project's XML files seem relevant,

  Read the article

< Previous Page | 196 197 198 199 200 201 202 203 204 205 206 207  | Next Page >