Search Results

Search found 97980 results on 3920 pages for 'code security'.

Page 322/3920 | < Previous Page | 318 319 320 321 322 323 324 325 326 327 328 329  | Next Page >

  • PAC with kerberoes

    - by Varun
    I am currently working on kerberoes, and for now have this doubt on PAC in MS-KILE kerberoes extension. Can pac included in pactype strcuture withtin authorization data, is meant for client to decrypt and decode. It seems (if my understanding is correct), that PAC is encrypted with target server's encryption key, which is known only to kdc and target server, and therefore, client just needs to forward that to server when requesting a service, and isn't suppose to decrypt and extract details about its credentails. Is there a way to try to decrypt this on the fly? ( is there sufficient information available in AS-REP for me extract and decrypt this?

    Read the article

  • How do I secure password parameters in RESTful web service URIs?

    - by adam
    i'm a newbie to server-side programming, so please forgive me if this gets messy. i've been contracted to create a web service to allow authenticated users to access a database. users have to enter a login and password. been reading and reading about REST vs SOAP, and i thought i'd settled on a RESTful design when i came across this statement: "Data that needs to be secure should not be sent as parameters in URIs." this seems like a major demerit against a RESTful approach. i'm aware that with https the password would be encrypted to prevent man-in-the-middle interception, but that leaves the server logs and client history as possible exposure points. is there a RESTful solution out there for this problem, or do i need to go SOAPy? any advice appreciated.

    Read the article

  • Why is the code adding 7 if the number is not >= 0

    - by Hugo Dozois
    I've got this program in MIPS assembly which comes from a C code that does the simple average of the eigth arguments of the function. average8: addu $4,$4,$5 addu $4,$4,$6 addu $4,$4,$7 lw $2,16($sp) #nop addu $4,$4,$2 lw $2,20($sp) #nop addu $4,$4,$2 lw $2,24($sp) #nop addu $4,$4,$2 lw $2,28($sp) #nop addu $2,$4,$2 bgez $2,$L2 addu $2,$2,7 $L2: sra $2,$2,3 j $31 When the number is positve, we directly divided by 8 (shift by 3 bits), but when the number is negative, we first addu 7 then do the division. My question is why do we add 7 to $2 when $2 is not >= 0 ? EDIT : Here is the C code : int average8(int x1, int x2, int x3, int x4, int x5, int x6, int x7, int x8) { return (x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8) / 8; } note : the possible loss in the division since we are using ints instead of floats or doubles is not important in this case.

    Read the article

  • Authenticate User manually

    - by Sergey
    I am trying to authenticate the user after I got credentials using oAuth (with Twitter if that makes a difference). As far as I could understand it, I can directly put the Authentication object into SecurityContextHolder. Here is how I do it: Authentication auth = new TwitterOAuthAuthentication(member, userDetailsService.loadUserByUsername(member.getUsername()).getAuthorities()); SecurityContextHolder.getContext().setAuthentication(auth); This for some reason does absolutely nothing. What am I missing and what should I do to accomplish what need?

    Read the article

  • How to play music on site preventing direct file download

    - by Hugo Palma
    I'm starting a blog with a hosted wordpress instance and i would like to be able to stream music using a flash player on some posts. The problem is that every player i find uses a simple param to get the file url which makes it very easy for someone to find that url and just download the file. A server side solution can be implemented as i have full access to the server.

    Read the article

  • switch statement with returns -- code correctness

    - by houbysoft
    Hi, let's say I have code in C with approximately this structure: switch (something) { case 0: return "blah"; break; case 1: case 4: return "foo"; break; case 2: case 3: return "bar"; break; default: return "foobar"; break; } Now obviously, the "break"s are not necessary for the code to run correctly, but it sort of looks like bad practice if I don't put them there to me. What do you think? Is it fine to remove them? Or would you keep them for increased "correctness"?

    Read the article

  • HTTPS-Compliant Sharepoint Web Parts

    - by bporter
    We are planning to create a new sub-site within our company's intranet site. The intranet is built on SharePoint 2007. My question is this: Suppose I want to add a 3rd-party weather web part to the home page of my new intranet site. Since the new site uses HTTPS, do I need to make sure to find an HTTPS-compliant web part? If I use a standard web part, will users get a "This page contains both secure and non-secure items" error message when they load the page? Thanks in advance!

    Read the article

  • user access management in j2ee web application

    - by kawtousse
    Hi everyone, I am working with jsp/servlet project and i have to complete the module of access management to my jsps since I have more than one user with different profile. I defined a table in my database wich resume the profil and the url permitted like that: id_profil :1 url : http://localhost/...xyz.jsp id page 1 Now I am trying to let the menu modified appropriately to the id_profil of the logged user. So there are pages allowed in one profile but must be hidden to others. I have no idea since now how to realize this and it is so important for me. thanks for your help.

    Read the article

  • Preventing dictionary attacks on a web application

    - by Kevin Pang
    What's the best way to prevent a dictionary attack? I've thought up several implementations but they all seem to have some flaw in them: Lock out a user after X failed login attempts. Problem: easy to turn into a denial of service attack, locking out many users in a short amount of time. Incrementally increase response time per failed login attempt on a username. Problem: dictionary attacks might use the same password but different usernames. Incrementally increase response time per failed login attempt from an IP address. Problem: easy to get around by spoofing IP address. Incrementally increase response time per failed login attempt within a session. Problem: easy to get around by creating a dictionary attack that fires up a new session on each attempt.

    Read the article

  • Detecting use after free() on windows. (dangling pointers)

    - by The Rook
    I'm trying to detect "Use after free()" bugs, otherwise known as "Dangling pointers". I know Valgrind can be used to detect "Use after free" bugs on the *nix platform, but what about windows? What if I don't have the source? Is there a better program than Valgrind for detecting all dangling pointers in a program? A free and open source would be preferred , but I'll use a commercial solution if it will get the job done.

    Read the article

  • Do you use logical negation operator (!) in "if" statement or check on "== false"

    - by Taras Terebkov
    Hello everyone, I just want to conduct a little survey about code style developers prefer. For me there are two ways to write "if" in such languages as Java, C#, C++, etc. (1) Logical negation operator public void foo() { if (!SessionManager.getInstance().hasActiveSession()) { . . . . . } } (2) Check on "false" public void foo() { if (SessionManager.getInstance().hasActiveSession() == false) { . . . . . } } I always believe that first way is much worst then the second one. Cause usually you don't "read" the code, but "recognize" it in one brief look. And exclamation symbol slipped from your mind, just disturbing you somewhere on the bottom of your unconscious. And only during reading the "if" block below you understand, that the logic is opposite - no sessions in "if" On the other hand in the second way of writing, an eye immediately catches words "SessionManager", "hasActiveSession" and "false". Also for me, the situation with "true" is different. In code like class SessionManager { private bool hasSession; public void foo() { if (hasSession == true) { . . . . . } else { . . . . . } } } I find "true" superfluous. why we repeating the sentence two times? The following is shorter and quicker to catch. class SessionManager { private bool hasSession; public void foo() { if (hasSession) { . . . . . } else { . . . . . } } } What do YOU think, guys?

    Read the article

  • Non-object when adding code into html

    - by Luke
    Hello. I am getting the following error: Fatal error: Call to a member function error() on a non-object in /home/gamepla3/public_html/football/result.php on line 177 The line for this is <?php echo $form->error("homescore"); ?> I'm failing to see how this could be the case? The thing worked fine before I added working code into my html document so it looked better. Now I can't get it working?? EDIT. When the code is not within HTML, it works fine. Once I have it within the HTML, it throws back an error? Has anyone seen anything like this before?

    Read the article

  • How to change code settings in eclipse

    - by Maven
    Sorry if the question title is confusing. Let me explain further. I am building a Java project with Eclipse. In my Java product I have conditionals that determine what code is included in the product and relies on static final constants for dead stripping. class BuildFlags { public static final boolean SOME_FLAG = true; // Need to set this programmatically } class SomeOtherClass { public void someMethod() { if (BuildFlags.SOME_FLAG) { // flag specific code } } } My question is how can I change BuildFlags.SOME_FLAG (above) so that I can run a special build without changing the source? Is there some way I can pass flags to the jvm (from eclipse) which I can then access to set this flag programatically?

    Read the article

  • How to hash and salt passwords

    - by Henrik Skogmo
    I realize that this topic have been brought up sometimes, but I find myself not entirely sure on the topic just yet. What I am wondering about how do you salt a hash and work with the salted hash? If the password is encrypted with a random generated salt, how can the we verify it when the user tries to authenticate? Do we need to store the generated hash in our database as well? Is there any specific way the salt preferably should be generated? Which encryption method is favored to be used? From what I hear sha256 is quite alright. And lastly, would it be an idea to have the hash "re-salted" when the user authenticates? Thank you!

    Read the article

  • Question about SSL Certificate.

    - by smwikipedia
    Hi experts, I am trying to make a SSL connection to a web site. Each time I enter the https:// address and press enter, the IE8 prompts me to select the Certificate (Client Certificate) to send to the server. I got 2 certificates to choose from. And they are stored in the IE8 - Internet Options - Content - Certificates - Personal. Since my server and client are the same machine, I want to use a single certificate for both server and client. And this certificate is a IIS generated self signed certificate. I do the following steps: 1- Generate a self-signed-cert in IIS; 2- Bind my site to https and choose the above self-signed-cert 3- Import the self-signed-cert at the IE8 - Internet Options - Content - Certificates - Personal. Then I use the https link to access my page, it is still prompts me to choose a certificate. But I cannot see my newly imported self-signed-cert. Why?

    Read the article

  • Access denied for user 'root@localhost' (using password:NO)

    - by Nasser Hajloo
    I'm new to mysql, I'm trying to run Wordpress inmy windows desktop and it need Mysql. I install everything with Web Platform Installer which provided by microsoft. I never seta root password for mysql and in final step of installing wordpressit askfor root password of mysql. What is the default password for root (if there is one) and how to change it? I try mysql -u root password '123' but it show me Access denied for user 'root@localhost' (using password:NO) after this I try mysql -u root -p but it ask for a password which I don't have Thank you in advance

    Read the article

  • Execute python code inside browser without Jython

    - by proportional
    Is there a way to execute python code in a browser, other than using Jython and an applet? The execution does not have to deal with anything related to graphics. For example, just sum all the digits of a binary 1Gb file (chosen by the browser user) and then return the result to the server. I am aware that python can be executed remotely outside a browser, but my requirement is to be done inside a browser. For sure, I take for granted the user will keep the right to execute or not, and will be asked to do so, and all this security stuff... but that is not my question.

    Read the article

  • arbitrary input from stdin to shell

    - by python_noob
    So I have this existing command that accepts a single argument, but I need something that accepts the argument over stdin instead. A shell script wrapper like the following works, but as I will be allowing untrusted users to pass arbitrary strings on stdin, I'm wondering if there's potential for someone to execute arbitary commands on the shell. #!/bin/sh $CMD "`cat`" Obviously if $CMD has a vulnerability in the way it processes the argument there's nothing I can do, so I'm concerned stuff like this: Somehow allow the user to escape the double quotes and pass input into argument #2 of $CMD Somehow cause another arbitary command to run

    Read the article

  • How do I validate that my the openid.op_endpoint when a request is completed.

    - by Sam Saffron
    I have an Open ID based authentication system on my site. Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in. When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id. My question: Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider? For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate? The spec is kind of tricky to understand

    Read the article

< Previous Page | 318 319 320 321 322 323 324 325 326 327 328 329  | Next Page >