Search Results

Search found 25503 results on 1021 pages for 'browser security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 275/1021 | < Previous Page | 271 272 273 274 275 276 277 278 279 280 281 282  | Next Page >

  • j_security_check to SSO in different module under Oracle App Server?

    - by thebearinboulder
    I have an existing j2ee application running on Oracle App Server. It is targeted towards paying customers so the content is secured and a SSO module properly intercepts all requests for secured content. Now the company is adding a unbranded public-facing module with a number of unsecured pages. At one point the user is expected to register for a free account and log in to proceed further. Think doctors adding a public-facing site with information for potential patients, or lawyers adding a public-facing site with information for potential clients. There's some information on the session and the usual approach would be to authenticate the user, persist the session information using the now-known user id, invalidate the existing session (to prevent certain types of attacks), the reload the session information before returning to the user. I can't just persist it under the session id since that's about to change. The glitch is that the existing application already has an SSO module and I get a 404 error every time I try to direct to j_security_check. I've tried that, /sso/j_security_check, even http://localhost/sso/j_security_check, all without success. I noticed that an earlier question said that tomcat requires access to a secured page before j_security_check is even visible. I don't know if that's the case with Oracle AS. Ideas? Or is the best approach to continue arguing that we have a different user base so it would be better to handle authentication in our own module anyway?

    Read the article

  • External user domain in grails

    - by archer
    We're currently using Acegi 0.5.2 plugin for Grails 1.2.1. However, we're going to move our user management to external CRM. What would be the best way to link existing Person domain with external CRM entity?

    Read the article

  • include() Why should I not use it?

    - by aliov
    I am working through an older php mysql book written in 2003. The author uses the include() function to construct html pages by including header.inc, footer.inc, main.inc files, etc. Now I find out that this is not allowed in the default ini settings, (allow_url_include is set to Off) after I got many warnings from the server. I noticed also that you can use include without the parenthesis. I tried this and it works and I get no error messages or warnings. Are the two different? That is, is include() different from include ?

    Read the article

  • Can the user take the resource from the iPhone Apps?

    - by Tattat
    I know that the Apple Mac OS .app file is a collection of programs and data. I guest the iPhone is similar in this way. I can unzip a Mac OS .app to find the resource , images using this way. Can the iPhone App do the similar thing? I mean, can the user unzip the iPhone .app to get the resource/ img from that? thz.

    Read the article

  • How secure is .htaccess protected pages

    - by Steven smethurst
    Are there any known flaws with htaccess protected pages? I know they are acceptable to brute force attacks as there is no limit to the amount of times someone can attempt to login. And a user can uploaded and execute a file on the server all bets are off... Anything other .htaccess flaws?

    Read the article

  • How to ensure the HTTP_REQUEST Is coming from the right place?

    - by seatoskyhk
    I learn that HTTP_REFERER or any HTTP request header can be fake and not reliable. REMOTE_ADDR is reliable though. so, how can I ensure the incoming HTTP_REQUEST call is coming from a website that I white-list? For example, I have a js code that will send from client site to server. (something like a sniper, cross platform). however, I only allow this happen from several websites. Not others. so, even other people copy the code and put onto their website, it won't work.

    Read the article

  • EJB3.1 logout doesn't work

    - by Kevin
    Hello, I've got a problem with the authentication features of EJB3.1: With this code in a Servlet v3: log.info(""+request.getUserPrincipal()); log.info(""+request.getAuthType()); log.info("===^==="); request.logout() ; log.info(""+request.getUserPrincipal()); log.info(""+request.getAuthType()); request.authenticate(response) ; log.info("===v==="); log.info(""+request.getUserPrincipal()); log.info(""+request.getAuthType()); I would always expect to see the Username/login windows, because of the logout() function. Instead, it seems to be a 'cache' mechanism which repopulate the credential and cancel my logout ... Admin BASIC ===^=== null null ===v=== Admin BASIC is it a problem with my firefox, or something I'm missing in the Servlet code? Thanks

    Read the article

  • Is it possible to authenticate on another website?

    - by Blankman
    If I am on a website#1, and I enter my username/pwd for website#2 on a login page that is on website#1, and website#1, behind the scenes, makes a httpwebrequest to website#2 and posts to the login page. If I then navigate to website#2, should I be logged in? website#2 uses formsauthentication and I call a httpHandler that is on website#2 and pass it the username/password via the querystring. Should this work?

    Read the article

  • iPhone AES encryption issue

    - by Dilshan
    Hi, I use following code to encrypt using AES. - (NSData*)AES256EncryptWithKey:(NSString*)key theMsg:(NSData *)myMessage { // 'key' should be 32 bytes for AES256, will be null-padded otherwise char keyPtr[kCCKeySizeAES256 + 1]; // room for terminator (unused) bzero(keyPtr, sizeof(keyPtr)); // fill with zeroes (for padding) // fetch key data [key getCString:keyPtr maxLength:sizeof(keyPtr) encoding:NSUTF8StringEncoding]; NSUInteger dataLength = [myMessage length]; //See the doc: For block ciphers, the output size will always be less than or //equal to the input size plus the size of one block. //That's why we need to add the size of one block here size_t bufferSize = dataLength + kCCBlockSizeAES128; void* buffer = malloc(bufferSize); size_t numBytesEncrypted = 0; CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt, kCCAlgorithmAES128, kCCOptionPKCS7Padding, keyPtr, kCCKeySizeAES256, NULL /* initialization vector (optional) */, [myMessage bytes], dataLength, /* input */ buffer, bufferSize, /* output */ &numBytesEncrypted); if (cryptStatus == kCCSuccess) { //the returned NSData takes ownership of the buffer and will free it on deallocation return [NSData dataWithBytesNoCopy:buffer length:numBytesEncrypted]; } free(buffer); //free the buffer; return nil; } However the following code chunk returns null if I tried to print the encryptmessage variable. Same thing applies to decryption as well. What am I doing wrong here? NSData *encrData = [self AES256EncryptWithKey:theKey theMsg:myMessage]; NSString *encryptmessage = [[NSString alloc] initWithData:encrData encoding:NSUTF8StringEncoding]; Thank you

    Read the article

  • What's the easiest and safest way to record data being inputted by a user on a web site

    - by fred august
    Apologies, this is a tragically simple question that will bore most of you. I need to implement the simplest "leave your email and we'll contact you" web page. The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. Easy to implement, but now I'm wondering if it's totally hackable. Is it? Are there obvious better ways that are still simple? thanks f

    Read the article

  • MSV1_0 Subauthentication Package Registration

    - by BigShot
    Hi; I'm trying to register a simple MSV1_0 subauthentication package for MS Windows Server 2003. I created a dll which implements required functions described in MSDN. I copied my dll to system32 folder. After that, I created a registry key Auth255 (I also tried Auth128) with a REG_SZ value ,which specifies my dll name, to this location; HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0. I expect that it will create a test.txt file for debugging puposes when the dll is called, but it doesn't create the file. How can I make this work? MSDN Link for this topic; http://msdn.microsoft.com/en-us/library/aa374786%28VS.85%29.aspx

    Read the article

  • Possible to view PHP code of a website?

    - by Camran
    Is it possible to somehow view another websites php files/codes? Or to rephrase the question, Can my php codes be viewed by anybody except for those who have access to the file? If so, how cant I best prevent this? Thanks Ps: Server OS is Ubuntu 9.10 and PHP version is 5+ (Apache2)

    Read the article

  • How should my main web application (A) securely retrieve data from my content storage web applicatio

    - by fonacule
    I have two web applications (A) and (B). (A) is my primary web application. (B) is purely for content storage, such as file uploads by users of (A). What's best way to securely retrieve data from (B) into (A) but in a way that does not expose the data in (B) to potential discovery by third-parties over the public internet or nosy users of (A)? For example, if I use a HTML form POST from (A) to (B) to retrieve user data, and have a hidden form field called user_id=1, then someone could simply change this to user_id=2 and see the content owned by another user of the application. That would be a problem.

    Read the article

  • how can I reliably check that requests to my service file have come from my website?

    - by woot586
    I have a service.php class that I use to service AJAX calls from my website. To prevent other people accessing the service using PHP CURL I would normally check the request has come from mysite, and if they are not then just redirect to my home page e.g. if($_SERVER['HTTP_REFERER'] != "http://www.mysite.com"){ header('location: http://www.mysite.com'); exit; } I read in the PHP holy bible: http://www.php.net/manual/en/reserved.variables.server.php that "Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted." So if this method is not reliable, my question is how can I reliably check that requests to my service file have come from my website? Thanks for any help you can provide!

    Read the article

  • Securing paths in PHP

    - by tjm
    I'm writing some PHP which takes some paths to different content directories, and uses these to include various parts of pages later. I'm trying to ensure that the paths are as they seem, and none of them break the rules of the application. I have PRIVATEDIR which must lie above DOCUMENT_ROOT (aka) PUBLICDIR. CONTENTDIR which must lie within PRIVATEDIR and not go back below PUBLICDIR and some other *DIR's which must remain within CONTENTDIR. Currently I set up some defaults, and then override the ones the user specifies and then sanity check them with the following. private function __construct($options) { error_reporting(0); if(is_array($options)) { $this->opts = array_merge($this->opts, $options); } if($this->opts['STATUS']==='debug') { error_reporting(E_ALL | E_NOTICE | E_STRICT); } $this->opts['PUBLICDIR'] = realpath($_SERVER['DOCUMENT_ROOT']) .DIRECTORY_SEPARATOR; $this->opts['PRIVATEDIR'] = realpath($this->opts['PUBLICDIR'] .$this->opts['PRIVATEDIR']) .DIRECTORY_SEPARATOR; $this->opts['CONTENTDIR'] = realpath($this->opts['PRIVATEDIR'] .$this->opts['CONTENTDIR']) .DIRECTORY_SEPARATOR; $this->opts['CACHEDIR'] = realpath($this->opts['PRIVATEDIR'] .$this->opts['CACHEDIR']) .DIRECTORY_SEPARATOR; $this->opts['ERRORDIR'] = realpath($this->opts['CONTENTDIR'] .$this->opts['ERRORDIR']) .DIRECTORY_SEPARATOR; $this->opts['TEMPLATEDIR' = realpath($this->opts['CONTENTDIR'] .$this->opts['TEMPLATEDIR']) .DIRECTORY_SEPARATOR; // then here I have to check that PRIVATEDIR is above PUBLICDIR // and that all the rest remain within private dir and don't drop // down into (or below) PUBLICDIR again. And die with an error if // they don't conform. } The thing is this seems like a lot of work to do, especially as it must be run, every time a page is accessed, before I can do anything else, e.g check for a cached version of the page I'm serving. Part of me is thinking, since all of these paths are predefined by the maintainer of the site, they SHOULD be aware of what paths they are allowing access to and ensuring they are secure. But, I think I'm thinking that because currently I am said maintainer, and I KNOW my paths conform to the rules. That said, I do want to secure this thing from any accidental errors by future maintainers (and I bet, now I've said above "I KNOW...", probably from myself somewhere down the line). This just feels like a suboptimal solution. I wonder how fast this would really be and what you would suggest to improve it or as an alternative? Thanks.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 271 272 273 274 275 276 277 278 279 280 281 282  | Next Page >