Search Results

Search found 15415 results on 617 pages for 'security groups'.

Page 484/617 | < Previous Page | 480 481 482 483 484 485 486 487 488 489 490 491 | Next Page >

Concepts a web application developer should know?

- by iama

I think it is imperative for web application developers to know the answers surrounding the following general questions on web development irrespective of the programming language/framework used. What authentication mechanisms HTTP offer & what are their pros and cons? Why should one go for FORMS authentication? How to secure authentication or for that matter any transactions via HTTP? How to maintain state in HTTP? What are the downsides to maintaining state via cookie & what happens when browsers disable them? Security issues like cross site scripting, session hijacking etc. What other questions a web developer should have answers for similar to the ones above that are programming language/web framework agnostic?

Read the article
Sessionstate not being saved between pages

- by Grant

Hi, i am having problems with an asp.net c# site whereby i am setting a session state object to true and then redirecting to another page that needs to check the value of the session state object and it is null. Sometimes it is set correctly and other times is is simply null. When i debug on my local machine it works perfectly every time. Only when i upload to my web server does this temperamental behaviour happen. As it is based around the security of the site it is obviously important that the session data be valid and accurate every time. Is session state data unreliable? AFAIK its set to inproc, cookieless, 30 min timeout, vanilla installation of IIS. Does anyone have any suggestions? Perhaps i need to thread.sleep inbetween the storing of the session data and the reading? NB: the time between the write and the read is about 70ms.. ample time for the data to be written to RAM.....

Read the article
How to generate a cryptographically secure Double between 0 and 1?

- by Portman

I know how to generate a random number between 0 and 1 using the NextDouble method of the pseudo-random number generator. var rng1 = new System.Random(); var random1 = rng1.NextDouble(); // generates a random double between 0 and 1.0 And I know how to fill a random byte array using the cryptographically secure random number generator. Byte[] bytes = new Byte[8]; var rng2 = new System.Security.Cryptography.RNGCryptoServiceProvider(); rng2.GetBytes(bytes); // generates 8 random bytes But how can I convert the byte-array output of RNGCryptoServiceProvider into a random number between 0 (inclusive) and 1 (exclusive)?

Read the article
For Loop help In a Hash Cracker Homework.

- by aaron burns

On the homework I am working on we are making a hash cracker. I am implementing it so as to have my cracker. java call worker.java. Worker.java implements Runnable. Worker is to take the start and end of a list of char, the hash it is to crack, and the max length of the password that made the hash. I know I want to do a loop in run() BUT I cannot think of how I would do it so it would go to the given max pasword length. I have posted the code I have so far. Any directions or areas I should look into.... I thought there was a way to do this with a certain way to write the loop but I don't know or can't find the correct syntax. Oh.. also. In main I divide up so x amount of threads can be chosen and I know that as of write now it only works for an even number of the 40 possible char given. package HashCracker; import java.util.*; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public class Cracker { // Array of chars used to produce strings public static final char[] CHARS = "abcdefghijklmnopqrstuvwxyz0123456789.,-!".toCharArray(); public static final int numOfChar=40; /* Given a byte[] array, produces a hex String, such as "234a6f". with 2 chars for each byte in the array. (provided code) */ public static String hexToString(byte[] bytes) { StringBuffer buff = new StringBuffer(); for (int i=0; i<bytes.length; i++) { int val = bytes[i]; val = val & 0xff; // remove higher bits, sign if (val<16) buff.append('0'); // leading 0 buff.append(Integer.toString(val, 16)); } return buff.toString(); } /* Given a string of hex byte values such as "24a26f", creates a byte[] array of those values, one byte value -128..127 for each 2 chars. (provided code) */ public static byte[] hexToArray(String hex) { byte[] result = new byte[hex.length()/2]; for (int i=0; i<hex.length(); i+=2) { result[i/2] = (byte) Integer.parseInt(hex.substring(i, i+2), 16); } return result; } public static void main(String args[]) throws NoSuchAlgorithmException { if(args.length==1)//Hash Maker { //create a byte array , meassage digestand put password into it //and get out a hash value printed to the screen using provided methods. byte[] myByteArray=args[0].getBytes(); MessageDigest hasher=MessageDigest.getInstance("SHA-1"); hasher.update(myByteArray); byte[] digestedByte=hasher.digest(); String hashValue=Cracker.hexToString(digestedByte); System.out.println(hashValue); } else//Hash Cracker { ArrayList<Thread> myRunnables=new ArrayList<Thread>(); int numOfThreads = Integer.parseInt(args[2]); int charPerThread=Cracker.numOfChar/numOfThreads; int start=0; int end=charPerThread-1; for(int i=0; i<numOfThreads; i++) { //creates, stores and starts threads. Runnable tempWorker=new Worker(start, end, args[1], Integer.parseInt(args[1])); Thread temp=new Thread(tempWorker); myRunnables.add(temp); temp.start(); start=end+1; end=end+charPerThread; } } } import java.util.*; public class Worker implements Runnable{ private int charStart; private int charEnd; private String Hash2Crack; private int maxLength; public Worker(int start, int end, String hashValue, int maxPWlength) { charStart=start; charEnd=end; Hash2Crack=hashValue; maxLength=maxPWlength; } public void run() { byte[] myHash2Crack_=Cracker.hexToArray(Hash2Crack); for(int i=charStart; i<charEnd+1; i++) { Cracker.numOfChar[i]////// this is where I am stuck. } } }

Read the article
Automatic e-mail processing

- by Jon Harrop

I'd like to write a .NET application in F# to automate some of the processing of my e-mails. For example, when an order comes in my program might compute a new htpasswd from the e-mail's contents, upload it to our web server and reply to the customer with login details. How do people do this? I've tried Outlook 2007 automation but it just prompts the user for security and my attempts to get it to stop doing this have failed so I cannot automate anything with it. Is there a .NET-friendly e-mail client I can use more easily? This has been so tedious that I'm seriously considering writing my own .NET-friendly e-mail client...

Read the article
application authentication design ideas

- by Berryl

Hello I am working with on an app that uses wpf / silverlight on the front end and nhibernate on the back end, and looking for some design ideas to address authentication; I was looking at Rhino Security which I think is pretty slick and certainly useful, but doesn't in and of itself seem to address authentication. That said, I am looking for something of a technology agnostic overview of authentication design issues at this point. Does anyone have any links and / or experiences with an authentication design that is relatively easy to adapt to different common technologies. Cheers, Berryl

Read the article
New Exchange 2010 CAS cannot find domain controllers

- by NorbyTheGeek

I am experiencing problems migrating from Exchange 2003 to Exchange 2010. I am on the first step: installing a new 2010 Client Access Server role. The Active Directory domain functional level is 2003. All domain controllers are 2003 R2. The only existing Exchange 2003 server happens to be housed on one of the domain controllers. It is running Exchange 2003 Standard w/ SP2. IPv6 is enabled and working on all domain controllers, servers, and routers, including this new Exchange server. After installing the CAS role on a new 2008 R2 server (Hyper-V VM) I am receiving 2114 Events: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1600). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers. Prior to each, I receive the following 2080 Event: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1600). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: b.company.intranet CDG 1 0 0 1 0 0 0 0 0 s.company.intranet CDG 1 0 0 1 0 0 0 0 0 Out-of-site: a.company.intranet CD- 1 0 0 0 0 0 0 0 0 o.company.intranet CD- 1 0 0 0 0 0 0 0 0 g.company.intranet CD- 1 0 0 0 0 0 0 0 0 Connectivity between the new Exchange server and all domain controllers via IPv4 and IPv6 are all working. I have verified that the new Exchange server is a member of the following groups: Exchange Servers Exchange Domain Servers Exchange Install Domain Servers Exchange Trusted Subsystem Heck, I even put the new Exchange server into Domain Admins just to see if it would help. It didn't. I can't find any evidence of Active Directory replication problems, all pre-setup Setup tasks (/PrepareLegacyExchangePermissions, /PrepareSchema, /PrepareAD, /PrepareDomain) completed successfully. The only problem so far that I haven't been able to resolve with my Active Directory is I am unable to get my IPv6 subnets into Sites and Services Where should I proceed from here?

Read the article
samba windows gvim & "READ ERRORS"

- by l.thee.a

I have a samba server on my embedded box. I was planning to use it to edit files easily. However when I open files on my windows machine, I get read errors. I have tried textpad, gvim and kate(andLinux). On gvim I first get "write error in swap file" and it is replaced by "[READ ERRORS]". If I access the same file through pyNeighborhood (ubuntu) I can read/write/delete etc. Samba security is set to share and guest user is root. Also if I move the file to my ubuntu samba server, I get no problems. Any ideas? PS: I am using smbd 3.0.25b.

Read the article
Passing value in silverlight

- by Dilse Naaz

How can pass a value from one page to another page in silverlight. I have one silver light application which contains two pages, one xaml.cs file and one asmx.cs file. I have one text box in xaml page names Text1. My requirement is that at the time of running, i could pass the textbox value to asmx.cs file. How it will be done? my code in asmx.cs file is public string DataInsert(string emp) { SqlConnection conn = new SqlConnection("Data Source=Nisam\\OFFICESERVERS;Initial Catalog=Employee;Integrated Security=SSPI"); SqlCommand cmd = new SqlCommand(); conn.Open(); cmd.Connection = conn; cmd.CommandText = "Insert into demo Values (@Name)"; cmd.Parameters.AddWithValue("@Name", xxx); cmd.ExecuteNonQuery(); return "Saved"; } the value xxx in code is replaced by the passed value from xaml.cs page. pls help me

Read the article
asp.net webservice user management across pages

- by nakori

I'm developing a site that will display confidential readonly information, with data fetched from a WCF service. My question: What is the best approach to user management across different information pages. The service returns a collection with customer info after a secure login. My idea is to have a Customer object class that is stored in session. Is it possible to use things like HttpContext.Current.User.Identity.IsAuthenticated followed by HttpContext.Current.Session["UserId"] without using a database with role-based security? Would I be better off with a combination of local database, Linq to SQL or datasets rather than using just class objects for data fetched from service? thanks, nakori

Read the article
Trouble getting Flash socket policy file to work.

- by Alex

Basically I'm using Flash to connect to a Java server. Despite my Java application replying to the , in the Flash debug log it lists (not sure about the order as there are lots): * Security Sandbox Violation * Connection to 192.168.1.86:4049 halted - not permitted from http://127.0.0.1:8888/Current/wander.swf Warning: Timeout on xmlsocket://192.168.1.86:4049 (at 3 seconds) while waiting for socket policy file. This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation. Error: Request for resource at xmlsocket://192.168.1.86:4049 by requestor from http://127.0.0.1:8888/Current/wander.swf is denied due to lack of policy file permissions. What I don't understand is, the server (port 4049) receives the request, outputs the policy file and then closes the connection, surely it shouldn't time out? The policy file I'm using is: <?xml version="1.0"?> <cross-domain-policy><allow-access-from domain="*" to-ports="*" /> </cross-domain-policy>

Read the article
Scheduled task username changed

- by Ernst

Hi, I created a user on our exchange server, but later changed the username. Now, when I create a scheduled task for that user, and change it's settings (run only when logged on), the username is automatically changed back to the old username. What's causing this and how do I make sure the correct, new username is used for the task (otherwise it won't run), security settings are okay. I did already log in with a different user to delete the profile on the computer and tried again with this user to no avail. The OS is windows xp, the exchange server is on windows server 2003. Thanks

Read the article
Why isn't UTF-8 allowed as the "ANSI" code page?

- by dan04

The Windows _setmbcp function allows any valid code page... (except UTF-7 and UTF-8, which are not supported) OK, not supporting UTF-7 makes sense: Characters have non-unique representations and that introduces complexity and security risks. But why not UTF-8? As I understand it, the "ANSI" versions of the Windows API functions convert their arguments to UTF-16, call the equivalent "W" function, and convert any strings in the output to "ANSI". This is what I've been doing manually. So why can't Windows do it for me?

Read the article
Storing script files outside web root

- by memilanuk

I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look. It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server. My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there? TIA, Monte

Read the article
Apache 13 permission denied in user's home directory

- by Dave

Hi, My friend's website was working fine until he moved the document root from /var/www/xxx to /home/user/xxx Apache give 13 permission denied error messages when we try to access the site via a web browser. The site is configured as a virtual directory. All the Apache configurations were unchanged (except for the directory change). We tried to chmod 777 /home/user/xxx, chown apache /home/user/xxx. But they didn't work. Is there some kind of security feature set on the user's home directories? The server OS is CentOS (Godaddy VPS). Any help is appreciated! Thanks!

Read the article
Check for Existence of a Result in Linq-to-xml

- by NateD

I'm using Linq-to-XML to do a simple "is this user registered" check (no security here, just making a list of registered users for a desktop app). How do I handle the result from a query like this: var people = from person in currentDoc.Descendants("Users") where (string)person.Element("User") == searchBox.Text select person; I understand the most common way to use the result would be something like foreach (var line in people){ //do something here } but what do you do if person comes back empty, which is what would happen if the person isn't registered? I've looked around on this site and on MSDN and haven't found a really clear answer yet. Extra credit: Give a good explanation of what people contains.

Read the article
accessing pdf via https URL

- by Paul

I send out a newsletter email containing URLs to a https website that then redirects to a pdf document. On first invocation of a URL the user is prompted with the typical https browser "security alert" popup, on selecting "Yes" the display of the PDF fails. The HTTP Header on the failed response is: HTTP/1.1 200 OK Server: ECS/HTTP-Server Date: Tue, 16 Mar 2010 15:57:26 GMT Content-type: application/pdf Content-language: en-US Set-cookie: JSESSIONID=0000r111cRz1Vc-PtCJg8Cdu4eR:-1; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-control: no-cache="set-cookie, set-cookie2" Connection: close Subsequent invocations of the URL successfully opens the PDF (at this point we have the session id cookie set by the initial failed request). The HTTP Header on the successful response is: HTTP/1.1 200 OK Server: ECS/HTTP-Server Date: Tue, 16 Mar 2010 16:53:03 GMT Content-type: application/pdf Content-language: en-US Connection: close The email client is Lotus Notes 6.5 which launches an IE6 browser Any ideas?

Read the article
F# Interactive bug?

- by John Reynolds

I've tried the following code in VS2010: open System.Security.Cryptography let rsaTest1 = let ecKey = [|0uy..143uy|] // junk data for testing let ecKeyMod = ecKey.[8..8+128-1] let ecKeyExp = ecKey.[136..136+8-1] let rsa = RSAParameters(Modulus = ecKeyMod, Exponent = ecKeyExp) rsa let rsaTest2 = let ecKey = [|0uy..143uy|] // junk data for testing let rsa = RSAParameters(Modulus = ecKey.[8..8+128-1], Exponent = ecKey.[136..136+8-1]) rsa If I highlight all code and send it to F# Interactive (Alt+Enter), then rsaTest1 works, but rsaTest2 gives an error message, System.NullReferenceException: Object reference not set to an instance of an object. at <StartupCode$FSI_0004>.$FSI_0004.main@() in P:\proj\Tachograph\Project\CompuTachTest\CompuTachTest\rsaTest.fsx:line 16 However, if I change rsaTest2 from a value into a function and call it, let rsaTest2 () = let ecKey = [|0uy..143uy|] // junk data for testing let rsa = RSAParameters(Modulus = ecKey.[8..8+128-1], Exponent = ecKey.[136..136+8-1]) rsa let x = rsaTest2 () then there is no error. F# bug or my mistake?

Read the article
Automating silent software deployments on Solaris 10

- by datSilencer

Hello everyone. Essentially, the question I'd like to ask is related to the automation of software package deployments on Solaris 10. Specifically, I have a set of software components in tar files that run as daemon processes after being extracted and configured in the host environment. Pretty much like any server side software package out there, I need to ensure that a list of prerequisites are met before extracting and running the software. For example: Checking that certain users exists, and they are associated with one or many user groups. If not, then create them and their group associations. Checking that target application folders exist and if not, then create them with preconfigured path values defined when the package was assembled. Checking that such folders have the appropriate access control level and ownership for a certain user. If not, then set them. Checking that a set of environment variables are defined in /etc/profile, pointed to predefined path locations, added to the general $PATH environment variable, and finally exported into the user's environment. Other files include /etc/services and /etc/system. Obviously, doing this for many boxes (the goal in question) by hand can be slow and error prone. I believe a better alternative is to somehow automate this process. So far I have thought about the following options, and discarded them for one reason or another. 1) Traditional shell scripts. I've only troubleshooted these before, and I don't really have much experience with them. These would be my last resort. 2) Python scripts using the pexpect library for analyzing system command output. This was my initial choice since the target Solaris environments have it installed. However, I want to make sure that I'm not reinveting the wheel again :P. 3) Ant or Gradle scripts. They may be an option since the boxes also have java 1.5 enabled, and the fileset abstractions can be very useful. However, they may fall short when dealing with user and folder permissions checking/setting. It seems obvious to me that I'm not the first person in this situation, but I don't seem to find a utility framework geared towards this purpose. Please let me know if there's a better way to accomplish this. I thank you for your time and help.

Read the article
Anyone run recurring payments in their website? Preferably; Paypal API

- by James

I'm wrapping up my startup and will need to implement Paypal API into my sign up page. Does anyone use recurring payments via Paypal API integrated into their billing? Better yet, guide me to a trustable developer with experience or will I have to use Elance? I need it to go to a welcome/get started screen in their logged in account once they hit the 'create account' button after filling out billing info. I was also wondering, can you leave the CSC (3 digit security code) field out with integration, because it makes things very hard for recurring payments. I'd like to stick with Paypal, as I have been very satisfied with them for a few years now; I already checked out Chargify, authorize.net, etc. I'd love to see someone with something like this set up already to take a look at and ask a few questions.

Read the article
Why is this not a bug in qmail?

- by jemfinch

I was reading DJB's "Some thoughts on security after ten years of Qmail 1.0" and he listed this function for moving a file descriptor: int fd_move(to,from) int to; int from; { if (to == from) return 0; if (fd_copy(to,from) == -1) return -1; close(from); return 0; } It occurred to me that this code does not check the return value of close, so I read the man page for close(2), and it seems it can fail with EINTR, in which case the appropriate behavior would seem to be to call close again with the same argument. Since this code was written by someone with far more experience than I in both C and UNIX, and additionally has stood unchanged in qmail for over a decade, I assume there must be some nuance that I'm missing that makes this code correct. Can anyone explain that nuance to me?

Read the article
AesCryptoServiceProvider not part of SymmetricAlgorithm?

- by user330006

I have a quick little app that steps through the possible symmetric encryption methods. I get them with the following line: private static List<Type> GetAlgorithmTypes { get { return Assembly.GetAssembly(typeof(SymmetricAlgorithm)).GetTypes().Where( type => type.IsSubclassOf(typeof(SymmetricAlgorithm))).ToList(); } } As you can see when i run this, AesCryptoServiceProvider is not a member of this group, even though it inherits from AES, which does belong to SymmetricAlgorithm and shows up in my list. This wouldn't be so much of a problem, i can manually add the provider in the group if i have too, but then if i try to retrieve this type by its name: Type t = Type.GetType("System.Security.Cryptography.AesCryptoServiceProvider"); i get a null object for AesCryptoServiceProvider, but not for any of the other items in the group. This is really strange, and i'm wondering if anyone has any ideas. It's kinda making me need to use tripleDES because of this (since my machines are all running the FIPS compliance requirement). Thanks for any help!

Read the article
ASP.NET MVC - How to save some data between requests ?

- by Tony

Hi, I'm trying to solve the problem: when a user is being logged into a WebSite (via user control .ascx stored on the Master Page), it's name is being stored in a Page.User.Identity.Name property. OK, but how to retrieve that user name in the controller ? Is it possible without registering System.Security.Principal namespace in the controller ? In the other words - the controller must know whose user wants to do some action (e.g. change account data). I could store it's name in the Html.Hidden control on each View but I don't want to have a mess in my Views

Read the article
How can I change or remove HttpRequest input arguments in a HttpModule

- by Eric Gunn

Is it possible to change or remove http request form inputs in an httpmodule? My goal is to create a security IHttpmodule that will check the request for reasonable values, such as limits on acceptable input and query parameter length, or use the AntiXSS Sanitizer to remove threats, log potential hack attempts, etc. before a request is passed on to a processor. Because this is a cross cutting concern I'd prefer to find a solution that applies to all requests and affects all ways request values could be accessed, Reqest.Form, Action(model), Action(FormCollection), HttpContext.Current.Request.Form, etc. I'm using MVC and have considered creating custom model binders to clean the data before creating the model instance. But that would be application specific, require remembering to register every model binder and only apply to Action(model).

Read the article
SBT equivalent of Ant target

- by adelbertc

What is the SBT equivalent (if any) of Ant targets? For example, a snippet in a build.xml file for Ant would be: <target name="runClient" description="run client"> <java classname="client.Client" fork="true"> <jvmarg value="-Djava.rmi.server.codebase=${client_web_codebase}"/> <jvmarg value="-Djava.security.policy=policy"/> <arg value="localhost"/> <classpath> <pathelement location="dist/client.jar"/> </classpath> </java> </target> And then I would do something like ant runClient to launch the application "client.Client" with the jvmargs specified in the XML.. is there an SBT equivalent, or a way for SBT to hook into Ant to do this?

Read the article

< Previous Page | 480 481 482 483 484 485 486 487 488 489 490 491 | Next Page >