Search Results

Search found 88705 results on 3549 pages for 'web application security'.

Page 55/3549 | < Previous Page | 51 52 53 54 55 56 57 58 59 60 61 62  | Next Page >

• Are there commercially deployed and used .NET CAS (Code Access Security) based applications?

  - by Dinis Cruz

  I've seen a couple threads here on SO that ask about what CAS is and how to use it.My specific is specifically focused on real-world usages of CAS. For example: DotNetNuke did some efforts in the past to be able to run under Medium Trust: is that still true? what is the % of DNN that run in partial trust (i.e. not full trust)? what & of DNN modules run in partial trust?) Sharepoint defaults to a Partially-Trusted environment on dlls executed from the bin folder: How many 'commercially' available WebParts can run in this bin folder (without changing the policy)? The key here is to be able to point to CAS success stories, so that other companies feel that they should also invest in writing CAS-enabled apps

  Read the article

• Are all "Important security updates", updates to already installed packages?

  - by Omnicomment

  I'm running 12.04, and I've never downloaded any drivers for the installation of any peripheral devices. Yet, I noticed a fair few "Important security updates" involving drivers/utilities for HP devices/software. I understand if the default installation of Ubuntu came with a set of drivers for these devices - and the update manager, having noticed that they live on my system, went and found newer versions, but still - given I don't use any devices - I'm either forced to download an irrelevant update, sift through the updates to check applicability, or turn off Update Manager altogether: none of which are desirable. First; the obvious - can someone confirm that the list of "Important security updates" on the server that Update manager connects to, is not actually populated with every patch ever written (i.e. for all Ubuntu packages regardless of whether they're installed or not)? Unlikely, but..

  Read the article

• How to learn what the industry standards/expectations are, particularly with security?

  - by Aerovistae

  For instance, I was making my first mobile web-application about a year ago, and half-way through, someone pointed me to jQuery Mobile. Obviously this induced a total revolution in my app. Rewrote everything. Now, if you're in the field long enough, maybe that seems like common knowledge, but I was totally new to it. But this set me wondering: there are so many libraries and extensions and frameworks. This seems particularly crucial in the category of security. I'm afraid I'm going to find myself doing something in a professional setting eventually (I'm still a student) and someone's going to walk over and be like, My god, you're trying to secure user data that way? Don't you know about the Gordon-Wokker crypto-magic-hash-algorithms library? Without it you may as well go plaintext. How do you know what the best ways are to maximize security? Especially if you're trying to develop something on your own...

  Read the article

• Server Error in '/' Application (ASP.NET)

  - by baeltazor

  Hi All I just setup up member ship roles and registration on my website with visual web developer using the tutorial on msdn. It works perfectly locally, but when i uploaded it to my server, I get the following page: "Server Error in '/' Application. -------------------------------------------------------------------------------- Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: The connection name 'LocalSqlServer' was not found in the applications configuration or the connection string is empty. Source Error: [No relevant source lines] Source File: machine.config Line: 160 -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.4200; ASP.NET Version:2.0.50727.4016 " Does anybody know why I'm seeing this and how I may go about fixinf this? Any help is greatly appreciated. Thank you Bael. EDIT: I have just looked at my web.config file after reading the following line in the error message: "The connection name 'LocalSqlServer' was not found in the applications configuration or the connection string is empty." ... And have noticed that the following element is completely empty: <connectionStrings/> // Is this one supposed to be empty? if not what should go here? In the error it implies it shouldn't be empty. Also, I don't know where I should place LocalSqlServer LATEST EDIT After changing DataSource to LocalHost i get the following error: Server Error in '/JTS' Application. -------------------------------------------------------------------------------- A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)] System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +4849015 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +194 System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, SqlConnection owningObject) +4862333 System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject) +90 System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart) +342 System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance) +221 System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance) +189 System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection) +185 System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options) +31 System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject) +433 System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject) +66 System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) +499 System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +65 System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +117 System.Data.SqlClient.SqlConnection.Open() +122 System.Web.DataAccess.SqlConnectionHolder.Open(HttpContext context, Boolean revertImpersonate) +87 System.Web.DataAccess.SqlConnectionHelper.GetConnection(String connectionString, Boolean revertImpersonation) +221 System.Web.Security.SqlMembershipProvider.GetPasswordWithFormat(String username, Boolean updateLastLoginActivityDate, Int32& status, String& password, Int32& passwordFormat, String& passwordSalt, Int32& failedPasswordAttemptCount, Int32& failedPasswordAnswerAttemptCount, Boolean& isApproved, DateTime& lastLoginDate, DateTime& lastActivityDate) +815 System.Web.Security.SqlMembershipProvider.CheckPassword(String username, String password, Boolean updateLastLoginActivityDate, Boolean failIfNotApproved, String& salt, Int32& passwordFormat) +105 System.Web.Security.SqlMembershipProvider.CheckPassword(String username, String password, Boolean updateLastLoginActivityDate, Boolean failIfNotApproved) +42 System.Web.Security.SqlMembershipProvider.ValidateUser(String username, String password) +78 System.Web.UI.WebControls.Login.AuthenticateUsingMembershipProvider(AuthenticateEventArgs e) +60 System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +119 System.Web.UI.WebControls.Login.AttemptLogin() +115 System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101 System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37 System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e) +118 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +166 System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10 System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13 System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565 -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

  Read the article

• Would security be comprimised if I install a gui (e.g. zPanel) for LAMP?

  - by Kirk

  I am an Ubuntu/Linux noob. There are many questions I have regarding the use of my system as a server. First and foremost is security. I want to install a simple GUI (zPanel appears the most user friendly) that will allow others to log into the server and database with ease, similar to a hosting service, though my intent is for the development of one site. Upon looking at the instructions of numerous GUI's, they require installation as root. This makes me uneasy, as my thoughts spiral to the possibilities of the developers creating the elusive 'back-door', thereby giving them root access to my entire system. Am I just being paranoid or is that theoretically possible? If it is possible, what steps are necessary to ensure security?

  Read the article

• What are the security implications of running untrusted code on my server?

  - by rahmu

  I would like to set up an app that allows users to send their code and execute it on my server. The thought of running untrusted code makes me cringe, so I am trying to set up an exhaustive list of security threats that should be addressed. I am assuming I should strip down certain features of the language executed, like file access or (maybe) networking. I also come across terms like sandboxing or chroot. I know what they mean, but how should I actually use them? In short: What security threats should I address before allowing users to run their code on my machine, and how do I do it?

  Read the article

• How to configure the web page of a web application to be browsed maximized ?

  - by user493325

  I have developed a web project using PowerBuilder V12.0 and it is published in ASP.net web file formats (*.aspx). I have hosted my web project on a web server machine with operating system (Windows Server 2003 - Enterprise Edition) and IIS V6.0 as Web Server Hosting Application. I would like to make the home page (Default.aspx) opened maximized so that no internet toolbars appears in the Internet Explorere or any other internet browser like Firefox and so on. It seems this is a web server configuration and setting as now I host the same web application in two development web servers and it opens maximized in one of them and opens normal in the other so No changes are needed in the web project files. I do not know exactly what is this option or configuration,, Is there a property like window size or width and height in web configuration files like web.config and machine.config ? I guess there is a property like WindowSize:Maximized. If you had experience with that before please let me know the options and configurations needed to do that. Thanks for your help.

  Read the article

• What am I risking if I don't update my SDK/JDK and bundled runtime/JRE every time there's a security update?

  - by rob

  It seems like there's a new major security hole patched in Java every other week, and I would assume the same goes for other development platforms. After years of frustration trying to get customers to install and configure a compatible JRE on their systems, we started bundling one with our software. (By bundling, I mean we extract a copy of the JRE in our installation directory--we don't install the JRE and configure it as the system default.) The problem is, it's a hassle having to keep that JRE up-to-date because first we have to retest everything to make sure the update didn't break anything (it has broken some of our third-party dependencies in the past). How seriously, if at all, are we putting our customers at risk if we don't update our SDK/JDK and the runtime/JRE that we bundle with our product every time there's a security update? Is it reasonable to just update on a periodic schedule--say, once every 6 months or so?

  Read the article

• Can't connect to SSL web service with WS-Security using PHP SOAP extension - certificate, complex WSDL

  - by BillF

  Using the PHP5 SOAP extension I have been unable to connect to a web service having an https endpoint, with client certificate and using WS-Security, although I can connect using soapUI with the exact same wsdl and client certificate, and obtain the normal response to the request. There is no HTTP authentication and no proxy is involved. The message I get is 'Could not connect to host'. Have been able to verify that I am NOT hitting the host server. (Earlier I wrongly said that I was hitting the server.) The self-signed client SSL certificate is a .pem file converted by openssl from a .p12 keystore which in turn was converted by keytool from a .jks keystore having a single entry consisting of private key and client certificate. In soapUI I did not need to supply a server private certificate, the only two files I gave it were the wdsl and pem. I did have to supply the pem and its passphrase to be able to connect. I am speculating that despite the error message my problem might actually be in the formation of the XML request rather than the SSL connection itself. The wsdl I have been given has nested complex types. The php server is on my Windows XP laptop with IIS. The code, data values and WSDL extracts are shown below. (The WSSoapClient class simply extends SoapClient, adding a WS-Security Username Token header with mustUnderstand = true and including a nonce, both of which the soapUI call had required.) Would so much appreciate any help. I'm a newbie thrown in at the deep end, and how! Have done vast amounts of Googling on this over many days, following many suggestions and have read Pro PHP by Kevin McArthur. An attempt to use classmaps in place of nested arrays also fell flat. The Code class STEeService { public function invokeWebService(array $connection, $operation, array $request) { try { $localCertificateFilespec = $connection['localCertificateFilespec']; $localCertificatePassphrase = $connection['localCertificatePassphrase']; $sslOptions = array( 'ssl' => array( 'local_cert' => $localCertificateFilespec, 'passphrase' => $localCertificatePassphrase, 'allow_self-signed' => true, 'verify_peer' => false ) ); $sslContext = stream_context_create($sslOptions); $clientArguments = array( 'stream_context' => $sslContext, 'local_cert' => $localCertificateFilespec, 'passphrase' => $localCertificatePassphrase, 'trace' => true, 'exceptions' => true, 'encoding' => 'UTF-8', 'soap_version' => SOAP_1_1 ); $oClient = new WSSoapClient($connection['wsdlFilespec'], $clientArguments); $oClient->__setUsernameToken($connection['username'], $connection['password']); return $oClient->__soapCall($operation, $request); } catch (exception $e) { throw new Exception("Exception in eServices " . $operation . " ," . $e->getMessage(), "\n"); } } } $connection is as follows: array(5) { ["username"]=> string(8) "DFU00050" ["password"]=> string(10) "Fabricate1" ["wsdlFilespec"]=> string (63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml" ["localCertificateFilespec"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["localCertificatePassphrase"]=> string(14) "password123456" } $clientArguments is as follows: array(7) { ["stream_context"]=> resource(8) of type (stream-context) ["local_cert"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["passphrase"]=> string(14) "password123456" ["trace"]=> bool(true) ["exceptions"]=> bool(true) ["encoding"]=> string(5) "UTF-8" ["soap_version"]=> int(1) } $operation is as follows: 'getConsignmentDetails' $request is as follows: array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } Note how there is an extra level of nesting, an array wrapping the request which is itself an array. This was suggested in a post although I don't see the reason, but it seems to help avoid other exceptions. The exception thrown by ___soapCall is as follows: object(SoapFault)#6 (9) { ["message":protected]=> string(25) "Could not connect to host" ["string":"Exception":private]=> string(0) "" ["code":protected]=> int(0) ["file":protected]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line":protected]=> int(85) ["trace":"Exception":private]=> array(5) { [0]=> array(6) { ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(85) ["function"]=> string(11) "__doRequest" ["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 " [1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1" [2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) } } [1]=> array(4) { ["function"]=> string(11) "__doRequest" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient" ["type"]=> string(2) "->" ["args"]=> array(5) { [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 " [1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1" [2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) [4]=> int(0) } } [2]=> array(6) { ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(70) ["function"]=> string(10) "__soapCall" ["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } [2]=> NULL [3]=> object(SoapHeader)#5 (4) { ["namespace"]=> string(81) "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ["name"]=> string(8) "Security" ["data"]=> object(SoapVar)#4 (2) { ["enc_type"]=> int(147) ["enc_value"]=> string(594) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z " } ["mustUnderstand"]=> bool(true) } } } [3]=> array(6) { ["file"]=> string(42) "C:\Inetpub\wwwroot\eServices\eServices.php" ["line"]=> int(87) ["function"]=> string(10) "__soapCall" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient" ["type"]=> string(2) "->" ["args"]=> array(2) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } [4]=> array(6) { ["file"]=> string(58) "C:\Inetpub\wwwroot\eServices\EnquireConsignmentDetails.php" ["line"]=> int(44) ["function"]=> string(16) "invokeWebService" ["class"]=> string(38) "startrackexpress\eservices\STEeService" ["type"]=> string(2) "->" ["args"]=> array(3) { [0]=> array(5) { ["username"]=> string(10) "DFU00050 " ["password"]=> string(12) "Fabricate1 " ["wsdlFilespec"]=> string(63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml" ["localCertificateFilespec"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["localCertificatePassphrase"]=> string(14) "password123456" } [1]=> string(21) "getConsignmentDetails" [2]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } } ["previous":"Exception":private]=> NULL ["faultstring"]=> string(25) "Could not connect to host" ["faultcode"]=> string(4) "HTTP" } Here are some WSDL extracts (TIBCO BusinessWorks): <xsd:complexType name="TransactionHeaderType"> <xsd:sequence> <xsd:element name="source" type="xsd:string"/> <xsd:element name="accountNo" type="xsd:integer"/> <xsd:element name="userId" type="xsd:string" minOccurs="0"/> <xsd:element name="transactionId" type="xsd:string" minOccurs="0"/> <xsd:element name="transactionDatetime" type="xsd:dateTime" minOccurs="0"/> </xsd:sequence> </xsd:complexType> <xsd:element name="getConsignmentDetailRequest"> <xsd:complexType> <xsd:sequence> <xsd:element name="header" type="prim:TransactionHeaderType"/> <xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="getConsignmentDetailResponse"> <xsd:complexType> <xsd:sequence> <xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="getConsignmentDetailRequest"> <xsd:complexType> <xsd:sequence> <xsd:element name="header" type="prim:TransactionHeaderType"/> <xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="getConsignmentDetailResponse"> <xsd:complexType> <xsd:sequence> <xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> </xsd:element> <wsdl:operation name="getConsignmentDetails"> <wsdl:input message="tns:getConsignmentDetailsRequest"/> <wsdl:output message="tns:getConsignmentDetailsResponse"/> <wsdl:fault name="fault1" message="tns:fault"/> </wsdl:operation> <wsdl:service name="ExternalOps"> <wsdl:port name="OperationsEndpoint1" binding="tns:OperationsEndpoint1Binding"> <soap:address location="https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"/> </wsdl:port> </wsdl:service> And here in case it's relevant is the WSSoapClient class: <?PHP namespace startrackexpress\eservices; use SoapClient, SoapVar, SoapHeader; class WSSoapClient extends SoapClient { private $username; private $password; /*Generates a WS-Security header*/ private function wssecurity_header() { $timestamp = gmdate('Y-m-d\TH:i:s\Z'); $nonce = mt_rand(); $passdigest = base64_encode(pack('H*', sha1(pack('H*', $nonce).pack('a*', $timestamp).pack('a*', $this->password)))); $auth = ' <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>' . $this->username . '</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' . $this->password . '</wsse:Password> <wsse:Nonce>' . base64_encode(pack('H*', $nonce)).'</wsse:Nonce> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">' . $timestamp . '</wsu:Created> </wsse:UsernameToken> </wsse:Security> '; $authvalues = new SoapVar($auth, XSD_ANYXML); $header = new SoapHeader("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security",$authvalues, true); return $header; } // Sets a username and passphrase public function __setUsernameToken($username,$password) { $this->username=$username; $this->password=$password; } // Overwrites the original method, adding the security header public function __soapCall($function_name, $arguments, $options=null, $input_headers=null, $output_headers=null) { try { $result = parent::__soapCall($function_name, $arguments, $options, $this->wssecurity_header()); return $result; } catch (exception $e) { throw new Exception("Exception in __soapCall, " . $e->getMessage(), "\n"); } } } ?> Update: The request XML would have been as follows: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://startrackexpress/Common/Primitives/v1" xmlns:ns2="http://startrackexpress/Common/actions/externals/Consignment/v1" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>DFU00050</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fabricate1</wsse:Password> <wsse:Nonce>M4FIeGA=</wsse:Nonce> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-10-29T14:05:27Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body><ns2:getConsignmentDetailRequest> <ns2:header><ns1:source>customerA</ns1:source><ns1:accountNo>10072906</ns1:accountNo></ns2:header> <ns2:consignmentId>GKQ00000085</ns2:consignmentId> </ns2:getConsignmentDetailRequest></SOAP-ENV:Body> </SOAP-ENV:Envelope> This was obtained with the following code in WSSoapClient: public function __doRequest($request, $location, $action, $version) { echo "<p> " . htmlspecialchars($request) . " </p>" ; return parent::__doRequest($request, $location, $action, $version); }

  Read the article

• Is it worth hiring a hacker to perform some penetration testing on my servers ?

  - by Brann

  I'm working in a small IT company with paranoid clients, so security has always been an important consideration to us ; In the past, we've already mandated two penetration testing from independent companies specialized in this area (Dionach and GSS). We've also ran some automated penetration tests using Nessus. Those two auditors were given a lot of insider information, and found almost nothing* ... While it feels comfortable to think our system is perfectly sure (and it was surely comfortable to show those reports to our clients when they performed their due diligence work), I've got a hard time believing that we've achieved a perfectly sure system, especially considering that we have no security specialist in our company (Security has always been a concern, and we're completely paranoid, which helps, but that's far as it goes!) If hackers can hack into companies that probably employ at least a few people whose sole task is to ensure their data stays private, surely they could hack into our small business, right ? Does someone have any experience in hiring an "ethical hacker"? How to find one? How much would it cost? *The only recommendation they made us was to upgrade our remote desktop protocols on two windows servers, which they were able to access because we gave them the correct non-standard port and whitelisted their IP

  Read the article

• Exposing BL as WCF service

  - by Oren Schwartz

  I'm working on a middle-tier project which encapsulates the business logic (uses a DAL layer, and serves a web application server [ASP.net]) of a product deployed in a LAN. The BL serves as a bunch of services and data objects that are invoked upon user action. At present times, the DAL acts as a separate application whereas the BL uses it, but is consumed by the web application as a DLL. Both the DAL and the web application are deployed on different servers inside organization, and since the BL DLL is consumed by the web application, it resides in the same server. The worst thing about exposing the BL as a DLL is that we lost track with what we expose. Deployment is not such a big issue since mostly, product versions are deployed together. Would you recommend migrating from DLL to WCF service? if so, why ? Do you know anyone who had a similar experience ? Thank you !

  Read the article

• Server Security

  - by mahatmanich

  I want to run my own root server (directly accessible from the web without a hardware firewall) with debian lenny, apache2, php5, mysql, postfix MTA, sftp (based on ssh) and maybe dns server. What measures/software would you recomend, and why, to secure this server down and minimalize the attack vector? Webapplications aside ... This is what I have so far: iptables (for gen. packet filtering) fail2ban (brute force attack defense) ssh (chang default, port disable root access) modsecurity - is really clumsy and a pain (any alternative here?) ?Sudo why should I use it? what is the advantage to normal user handling thinking about greensql for mysql www.greensql.net is tripwire worth looking at? snort? What am I missing? What is hot and what is not? Best practices? I like "KISS" - Keep it simple secure, I know it would be nice! Thanks in advance ...

  Read the article

• Running .net application over a network

  - by Marlon

  Hello, I need some advice please. I need to enable a .Net application to run over a network share, the problem is that this will be on clients network shares and so the path will not be identical. I've had a quick look at ClickOnce and the publish options in VS2008 but it wants a specific network share location - and I'm assuming this location gets stored somewhere when it does its thing. At the moment the job is being done with a old VB6 application and so gets around all these security issues, but that application is poorly written and almost impossible to maintain so it really needs to go. Is it possible for the domain controller to be set up to allow this specific .Net application to execute? Any other options would be welcomed as I want to get this little application is very business critical. I aught to say that the client networks are schools, and thus are often quite locked down as are the client machines, so manually adding exceptions to each client machine is a big no no. Marlon

  Read the article

• What tangible security are gained by blocking all but a few outgoing ports in a firewall

  - by Frankie Dintino

  Our current hardware firewall allows for blocking incoming and outgoing ports. We have two possibilities: Block certain troublesome ports (unsecured smtp, bittorrent, etc.) Block all but a few approved ports (http, https, ssh, imap-ssl, etc.) I see several downsides with option 2. Occasionally web servers are hosted on non-standard ports and we would have to deal with the resulting issues. Also, there is nothing preventing a malicious or unwanted service from being hosted on port 80, for instance. What are are the upsides?

  Read the article

• How IBM Implement WebSphere Application Server SDK for Sun Solaris OS

  - by Eng Al-Rawabdeh

  I deploy the same application in IBM-WAS on different OS ( Windows , AIX and SUN-Solaris ) , SDK errors appeared on SDK for just Solaris OS , I refer some sites and it talk that the SDK on Solaris OS was build based on Sun SDK is it write ? so please I need to now if the IBM build the Solaris SDK from scratch or based on sun SDK ?? More Details : I Installed the same IBM WAS Application Server on two servers as the following : 1- Server1 - OS (AIX) 2- Server2 - OS ( Solaris) these two server on the same network and have the same configuration . Then I deploy Java Application ( X ) on both servers , the Application X was run on Server1 ( AIX ) without any problem but when I run the Application on Server 2 ( Solaris OS) I faced SDK issue . So I need to know what the difference between AIX WAS SDK and Solaris WAS SDK ?? Note : I try windows and it was run without any problem .

  Read the article

• Windows/global setting to allow only SSL when on public Wifi?

  - by hungry

  Rather than going through each of my apps and modifying settings, or tweaking individual browser settings (I use three different browsers) or just being careful not to type non-SSL URLs into the web address bar, is there a solution at the Windows level that will prevent anything from connecting to the web from my laptop unless it's using SSL? I also have mini apps installed like Gmail checker, etc that connect to the web of their own volition using my usernames, passwords and such, so it goes beyond just web browsers. The reason I'm asking is I want to work securely on the general Internet when on public Wifi (e.g. coffee shops) without a lot of hassle or having to remember everything that needs to be locked down. When I'm back home I want to go back to full access mode using any kind of protocol on the web. If a website doesn't support SSL when I'm out in public then I just don't surf it - that's not a worry to me.

  Read the article

• Globe Trotters: Asian Healthcare CIOs need ‘Security Inside Out’ Approach

  - by Tanu Sood

  In our second edition of Globe trotters, wanted to share a feature article that was recently published in Enterprise Innovation. EnterpriseInnovation.net, part of Questex Media Group, is Asia's premier business and technology publication. The article featured MOH Holdings (a holding company of Singapore’s Public Healthcare Institutions) and highlighted the project around National Electronic Health Record (NEHR) system currently being deployed within Singapore.  According to the feature, the NEHR system was built to facilitate seamless exchanges of medical information as patients move across different healthcare settings and to give healthcare providers more timely access to patient’s healthcare records in Singapore. The NEHR consolidates all clinically relevant information from patients’ visits across the healthcare system throughout their lives and pulls them in as a single record. It allows for data sharing, making it accessible to authorized healthcare providers, across the continuum of care throughout the country. In healthcare, patient data privacy is critical as is the need to avoid unauthorized access to the electronic medical records. As Alan Dawson, director for infrastructure and operations at MOH Holdings is quoted in the feature, “Protecting the perimeter is no longer enough. Healthcare CIOs today need to adopt a ‘security inside out’ approach that protects information assets all the way from databases to end points.” Oracle has long advocated the ‘Security Inside Out’ approach. From operating systems, infrastructure to databases, middleware all the way to applications, organizations need to build in security at every layer and between these layers. This comprehensive approach to security has never been as important as it is today in the social, mobile, cloud (SoMoClo) world. To learn more about Oracle’s Security Inside Out approach, visit our Security page. And for more information on how to prevent unauthorized access, streamline user administration, bolster security and enforce compliance in healthcare, learn more about Oracle Identity Management.

  Read the article

• How does one rein in the complexities of web development ?

  - by Rahul

  I have been a server-side programmer for most of my career and have only recently started spending more time on web development. I am amazed at the number of things I need to master in order to write a decent web application. Just to list down a few tools/technologies I need to learn, Server side programming language (Java/JSP, ASP, PHP, Ruby or something else) A decent web framework (for any medium to big size application). HTML & CSS Javascript Javascript library (JQuery/ExtJS etc. primarily for AJAX). Good to know even if not necessary. At least a basic knowledge of web design - layouts, colors, fonts etc. A good understanding of web security. A good understanding of Performance/scalability issues. Testing, browser compatibility issues etc. The list goes on. So, my question to seasoned web developers is - How do you guys manage to learn and keep yourself updated on so many things? While developing a web application, how do you handle the complexities involved in these areas and yet manage to write an application that is well designed, user friendly, secure, performant and scalable. As a web developer, does one have to be a jack of all trades or should one specialize in one or two areas and leave the rest to other members of the team ?

  Read the article

• Logging Application Block

  - by Gordon Carpenter-Thompson

  I'm using the Logging Application Block in my ASP.NET application and want to convert the application to a Sharepoint WebPart. It all works fine as long as I change: <trust level="WSS_Minimal" originUrl="" /> to <trust level="Full" originUrl="" /> If not I get an exception in the logs: Failed to add webpart *************255Fcatalogs%252Fwp%252FSearchWebPart%252Ewebpart;SearchWebPart. Exception Microsoft.SharePoint.WebPartPages.WebPartPageUserException: The type initializer for 'Microsoft.Practices.EnterpriseLibrary.Logging.Logger' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Microsoft.Practices.EnterpriseLibrary.Logging.Logger' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Microsoft.Practices.EnterpriseLibrary.Common.Configuration.SystemConfigurationSource' threw an exception. ---> System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neut... ...ral, PublicKeyToken=b77a5c561934e089' failed. at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.AppDomainSetup.VerifyDir(String dir, Boolean normalize) at System.AppDomainSetup.get_ConfigurationFile() at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.SystemConfigurationSourceImplementation..ctor(Boolean refresh) at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.SystemConfigurationSource..cctor() The action that failed was: Demand The type of the first permission that failed was: System.Security.Permissions.FileIOPermission The first permission that failed was: <IPermission class="System.Security.Permissions.FileIOPermi... ...ssion, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" PathDiscovery="D:\Inetpub\wwwroot\wss\VirtualDirectories\8686\web.config"/> The demand was for: <IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" PathDiscovery="D:\Inetpub\wwwroot\wss\VirtualDirectories\8686\web.config"/> The granted set of the failing assembly was: <PermissionSet class="System.Security.PermissionSet" version="1"> <IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="Execution"/> <IPermission class="System.Security.Permissions.StrongNameIdentityPermis... ...sion, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100257FAE170ABB2AB4A8EF914DFEA757F7DB8C221F01850FC8753A4C6585C0B07749DA33DF4D64A721A070E7CDCDEFC8C786E3626418389BCF461E4300E6F4C477BE5CE64AD12C29D517208D6BA627D9F73A9066B7638BE1FEE3EABE6C3E537B546CB3B5DE5E436F95278BB1E9DBDE85C2A6B624010A8073841D467CC7A0A0C6C8" Name="Microsoft.Practices.EnterpriseLibrary.Common" AssemblyVersion="3.1.0.0"/> <IPermission class="System.Security.Permissions.UrlIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Url="file:///D:/Inetpub/wwwroot/wss/VirtualDirectories/8686/bin/Microsoft.Practices.EnterpriseLibrary.Common.DLL"/> <IPe... ...rmission class="System.Security.Permissions.ZoneIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Zone="MyComputer"/> <IPermission class="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Level="Minimal"/> <IPermission class="Microsoft.SharePoint.Security.WebPartPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" version="1" Connections="True"/> </PermissionSet> The assembly or AppDomain that failed was: Microsoft.Practices.EnterpriseLibrary.Common, Version=3.1.0.0, Culture=neutral, PublicKeyToken=a646907c4a695009 The Zone of the assembly that failed was: MyComputer The Url of the assem... ...bly that failed was: file:///D:/Inetpub/wwwroot/wss/VirtualDirectories/8686/bin/Microsoft.Practices.EnterpriseLibrary.Common.DLL --- End of inner exception stack trace --- at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.SystemConfigurationSource..ctor() at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ConfigurationSourceFactory.Create() at Microsoft.Practices.EnterpriseLibrary.Logging.Logger..cctor() --- End of inner exception stack trace --- at Microsoft.Practices.EnterpriseLibrary.Logging.Logger.Write(LogEntry log) at com.okana.sharepoint.SearchWebPart.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.AddedControl(Control control, Int32 index) at System.Web.UI.ControlCollection.Add(Con... ...trol child) at System.Web.UI.WebControls.WebParts.WebPartManager.WebPartManagerControlCollection.AddWebPartHelper(WebPart webPart) at System.Web.UI.WebControls.WebParts.WebPartManager.WebPartManagerControlCollection.AddWebPart(WebPart webPart) at System.Web.UI.WebControls.WebParts.WebPartManager.AddWebPart(WebPart webPart) at System.Web.UI.WebControls.WebParts.WebPartManagerInternals.AddWebPart(WebPart webPart) at Microsoft.SharePoint.WebPartPages.SPWebPartManager.AddWebPartWithRetry(WebPart webPart) at Microsoft.SharePoint.WebPartPages.SPWebPartManager.AddDynamicWebPart(WebPart webPart) at Microsoft.SharePoint.WebPartPages.SPWebPartManager.LoadWebPart(WebPart aspWebPart, String zoneId, Int32 zoneIndex, Boolean isClosed) at Microsoft.SharePoint.WebPartPages.... ...SPWebPartManager.AddWebPartInternalShared(WebPart webPart) at Microsoft.SharePoint.WebPartPages.SPWebPartManager.AddWebPartInternal(SPSupersetWebPart superset, Boolean throwIfLocked) --- End of inner exception stack trace --- at Microsoft.SharePoint.WebPartPages.SPWebPartManager.AddWebPartInternal(SPSupersetWebPart superset, Boolean throwIfLocked) at Microsoft.SharePoint.WebPartPages.SPWebPartManager.AddWebPartInternal(SPSupersetWebPart superset) at Microsoft.SharePoint.WebPartPages.WebPartQuickAdd.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) My log configuration is this: <loggingConfiguration name="Logging Application Block" tracingEnabled="true" defaultCategory="General" logWarningsWhenNoCategoriesMatch="true"> <listeners> <add fileName="XAE.log" rollSizeKB="0" timeStampPattern="yyyy-MM-dd" rollFileExistsBehavior="Overwrite" rollInterval="Day" formatter="Text Formatter" header="" footer="" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.RollingFlatFileTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral" traceOutputOptions="None" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral" name="Rolling Flat File Trace Listener" /> <add fileName="IDOL.log" rollSizeKB="0" timeStampPattern="yyyy-MM-dd" rollFileExistsBehavior="Overwrite" rollInterval="Day" formatter="Text Formatter" header="" footer="" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.RollingFlatFileTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral" traceOutputOptions="None" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral" name="IDOL Rolling Flat File Trace Listener" /> </listeners> <formatters> <add template="{timestamp(local)} : {category} : {message}" type="Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.TextFormatter, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral" name="Text Formatter" /> </formatters> <categorySources> <!-- For any log entries that you wish to suppress set "All" to "Off" --> <add switchValue="All" name="Communication"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </add> <add switchValue="All" name="Debug"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </add> <add switchValue="All" name="Exception"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </add> <add switchValue="All" name="General"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </add> <add switchValue="All" name="Warning"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </add> <add switchValue="All" name="IDOL"> <listeners> <add name="IDOL Rolling Flat File Trace Listener" /> </listeners> </add> </categorySources> <specialSources> <allEvents switchValue="All" name="All Events" /> <notProcessed switchValue="All" name="Unprocessed Category" /> <errors switchValue="All" name="Logging Errors &amp; Warnings"> <listeners> <add name="Rolling Flat File Trace Listener" /> </listeners> </errors> </specialSources> </loggingConfiguration> Clearly this is because it's trying to create the log files and WSS_Minimal doesn't allow this. Is there a simple way to disable all logging for now? Removing the logging is problematic as it's used in the underlying libraries. I have tried setting all switchValue="All" to "Off" but it still throws the exception even though nothing should be logged

  Read the article

• Infinite loop using Spring Security - Login page is protected even though it should allow anonymous

  - by Tai Squared

  I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup: web.xml <welcome-file-list> <welcome-file> index.jsp </welcome-file> </welcome-file-list> The index.jsp page is in the WebContent directory and simply contains a redirect: <c:redirect url="/login.htm"/> In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/WEB-INF/jsp/" /> <property name="suffix" value=".jsp" /> </bean> In the security-config.xml file, I have the following configuration: <http> <!-- Restrict URLs based on role --> <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/css/**" filters="none" /> <intercept-url pattern="/images/**" filters="none" /> <intercept-url pattern="/**" access="ROLE_ANONYMOUS" /> <form-login login-page="/login.jsp"/> </http> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-provider> However, I can't even navigate to the login page and get the following error in the log: WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error. I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

  Read the article

• Configuring a Context specific Tomcat Security Realm

  - by Andy Mc

  I am trying to get a context specific security Realm in Tomcat 6.0, but when I start Tomcat I get the following error: 09-Dec-2010 16:12:40 org.apache.catalina.startup.ContextConfig validateSecurityRoles INFO: WARNING: Security role name myrole used in an <auth-constraint> without being defined in a <security-role> I have created the following context.xml file: <Context debug="0" reloadable="true"> <Resource name="MyUserDatabase" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/my-users.xml" /> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="MyUserDatabase"/> </Context> Created a file: my-users.xml which I have placed under WEB-INF/conf which contains the following: <tomcat-users> <role rolename="myrole"/> <user username="test" password="changeit" roles="myrole" /> </tomcat-users> Added the following lines to my web.xml file: <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> ... </web-app> But seem to get the error wherever I put conf/my-users.xml. Do I have to specify an explicit PATH in the pathname or is it relative to somewhere? Ideally I would like to have it packaged up as part of my WAR file. Any ideas?

  Read the article

• Trying to run WCF web service on non-domain VM, Security Errors

  - by NealWalters

  Am I in a Catch-22 situation here? My goal is to take a WCF service that I inherited, and run it on a VM and test it by calling it from my desktop PC. The VM is in a workgroup, and not in the company's domain. Basically, we need more test environments, ideally one per developer (we may have 2 to 4 people that need this). Thus the idea of the VM was that each developer could have his own web server that somewhat matches or real environment (where we actually have two websites, an external/exposed and internal). [Using VS2010 .NET 4.0] In the internal service, each method was decorated with this attribute: [OperationBehavior(Impersonation = ImpersonationOption.Required)] I'm still researching why this was needed. I think it's because a webapp calls the "internal" service, and either a) we need the credentials of the user, or b) we may doing some PrinciplePermission.Demands to see if the user is in a group. My interest is creating some ConsoleTest programs or UnitTest programs. I changed to allowed like this: [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] because I was getting this error in trying to view the .svc in the browser: The contract operation 'EditAccountFamily' requires Windows identity for automatic impersonation. A Windows identity that represents the caller is not provided by binding ('WSHttpBinding','http://tempuri.org/') for contract ('IAdminService','http://tempuri.org/'. I don't get that error with the original bindings look like this: However, I believe I need to turn off this security since the web service is not on the domain. I tend to get these errors in the client: 1) The request for security token could not be satisfied because authentication failed - as an InnerException of "SecurityNegotiation was unhandled". or 2) The caller was not authenticated by the service as an InnerException of "SecurityNegotiation was unhandled". So can I create some configuration of code and web.config that will allow each developer to work on his own VM? Or must I join the VM to the domain? The number of permutations seems near endless. I've started to create a Word.doc that says what to do with each error, but now I'm in the catch-22 where I'm stuck. Thanks, Neal Server Bindings: <bindings> <wsHttpBinding> <binding name="wsHttpEndpointBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="500000000"> <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" /> <!-- <security mode="None" /> This is one thing I tried --> <security> <message clientCredentialType="Windows" /> </security> </binding> </wsHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ABC.AdminService.AdminServiceBehavior"> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpGetEnabled="true" /> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="true" /> <serviceCredentials> </serviceCredentials> <!--<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="AspNetWindowsTokenRoleProvider"/>--> <serviceAuthorization principalPermissionMode="UseWindowsGroups" impersonateCallerForAllOperations="true" /> </behavior> <behavior name="ABC.AdminService.IAdminServiceTransportBehavior"> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpGetEnabled="true" /> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="PeerTrust" /> </clientCertificate> <serviceCertificate findValue="WCfServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> CLIENT: <system.serviceModel> <bindings> <wsHttpBinding> <binding name="WSHttpBinding_IAdminService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="http://192.168.159.132/EC_AdminService/AdminService.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IAdminService" contract="svcRef.IAdminService" name="WSHttpBinding_IAdminService"> <identity> <dns value="localhost" /> </identity> </endpoint> </client> </system.serviceModel>

  Read the article

• WCF with No security

  - by james.ingham

  Hi all, I've got a WCF service setup which I can consume and use as intendid... but only on the same machine. I'm looking to get this working over multiple computers and I'm not fussed about the security. However when I set (client side) the security to = none, I get a InvalidOperationException: The service certificate is not provided for target 'http://xxx.xxx.xxx.xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/'. Specify a service certificate in ClientCredentials. So I'm left with: <security mode="Message"> <message clientCredentialType="None" negotiateServiceCredential="false" algorithmSuite="Default" /> </security> But this gives me another InvalidOperationException: The service certificate is not provided for target 'http://xxx.xxx.xxx.xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/'. Specify a service certificate in ClientCredentials. Why would I have to provide a certificate if security was turned off? Server app config: <system.serviceModel> <services> <service name="Server.WcfServiceLibrary.CheckoutService" behaviorConfiguration="Server.WcfServiceLibrary.CheckoutServiceBehavior"> <host> <baseAddresses> <add baseAddress = "http://xxx:8731/Design_Time_Addresses/WcfServiceLibrary/CheckoutService/" /> </baseAddresses> </host> <endpoint address ="" binding="wsDualHttpBinding" contract="Server.WcfServiceLibrary.ICheckoutService"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> </service> <service name="Server.WcfServiceLibrary.ManagementService" behaviorConfiguration="Server.WcfServiceLibrary.ManagementServiceBehavior"> <host> <baseAddresses> <add baseAddress = "http://xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/" /> </baseAddresses> </host> <endpoint address ="" binding="wsDualHttpBinding" contract="Server.WcfServiceLibrary.IManagementService"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> </service> </services> <behaviors> <serviceBehaviors> <behavior name="Server.WcfServiceLibrary.CheckoutServiceBehavior"> <serviceMetadata httpGetEnabled="True"/> <serviceDebug includeExceptionDetailInFaults="False" /> <serviceThrottling maxConcurrentCalls="100" maxConcurrentSessions="50" maxConcurrentInstances="50" /> </behavior> <behavior name="Server.WcfServiceLibrary.ManagementServiceBehavior"> <serviceMetadata httpGetEnabled="True"/> <serviceDebug includeExceptionDetailInFaults="False" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> Client app config: <system.serviceModel> <bindings> <wsDualHttpBinding> <binding name="WSDualHttpBinding_IManagementService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:00:10" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" /> <security mode="Message"> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" /> </security> </binding> </wsDualHttpBinding> </bindings> <client> <endpoint address="http://xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/" binding="wsDualHttpBinding" bindingConfiguration="WSDualHttpBinding_IManagementService" contract="ServiceReference.IManagementService" name="WSDualHttpBinding_IManagementService"> <identity> <dns value="localhost" /> </identity> </endpoint> </client> </system.serviceModel> Thanks

  Read the article

• How to add new filters to CAML queries in SharePoint 2007

  - by uruit

    Normal 0 21 false false false ES-UY X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} One flexibility SharePoint has is CAML (Collaborative Application Markup Language). CAML it’s a markup language like html that allows developers to do queries against SharePoint lists, it’s syntax is very easy to understand and it allows to add logical conditions like Where, Contains, And, Or, etc, just like a SQL Query. For one of our projects we have the need to do a filter on SharePoint views, the problem here is that the view it’s a list containing a CAML Query with the filters the view may have, so in order to filter the view that’s already been filtered before, we need to append our filters to the existing CAML Query. That’s not a trivial task because the where statement in a CAML Query it’s like this: <Where>   <And>     <Filter1 />     <Filter2 />   </And> </Where> If we want to add a new logical operator, like an OR it’s not just as simple as to append the OR expression like the following example: <Where>   <And>     <Filter1 />     <Filter2 />   </And>   <Or>     <Filter3 />   </Or> </Where> But instead the correct query would be: <Where>   <Or>     <And>       <Filter1 />       <Filter2 />     </And>     <Filter3 />   </Or> </Where> Notice that the <Filter# /> tags are for explanation purpose only. In order to solve this problem we created a simple component, it has a method that receives the current query (could be an empty query also) and appends the expression you want to that query. Example: string currentQuery = @“ <Where>    <And>     <Contains><FieldRef Name='Title' /><Value Type='Text'>A</Value></Contains>     <Contains><FieldRef Name='Title' /><Value Type='Text'>B</Value></Contains>   </And> </Where>”; currentQuery = CAMLQueryBuilder.AppendQuery(     currentQuery,     “<Contains><FieldRef Name='Title' /><Value Type='Text'>C</Value></Contains>”,     CAMLQueryBuilder.Operators.Or); The fist parameter this function receives it’s the actual query, the second it’s the filter you want to add, and the third it’s the logical operator, so basically in this query we want all the items that the title contains: the character A and B or the ones that contains the character C. The result query is: <Where>   <Or>      <And>       <Contains><FieldRef Name='Title' /><Value Type='Text'>A</Value></Contains>       <Contains><FieldRef Name='Title' /><Value Type='Text'>B</Value></Contains>     </And>     <Contains><FieldRef Name='Title' /><Value Type='Text'>C</Value></Contains>   </Or> </Where>             The code:   First of all we have an enumerator inside the CAMLQueryBuilder class that has the two possible Options And, Or. public enum Operators { And, Or }   Then we have the main method that’s the one that performs the append of the filters. public static string AppendQuery(string containerQuery, string logicalExpression, Operators logicalOperator){   In this method the first we do is create a new XmlDocument and wrap the current query (that may be empty) with a “<Query></Query>” tag, because the query that comes with the view doesn’t have a root element and the XmlDocument must be a well formatted xml.   XmlDocument queryDoc = new XmlDocument(); queryDoc.LoadXml("<Query>" + containerQuery + "</Query>");   The next step is to create a new XmlDocument containing the logical expression that has the filter needed.   XmlDocument logicalExpressionDoc = new XmlDocument(); logicalExpressionDoc.LoadXml("<root>" + logicalExpression + "</root>"); In these next four lines we extract the expression from the recently created XmlDocument and create an XmlElement.                  XmlElement expressionElTemp = (XmlElement)logicalExpressionDoc.SelectSingleNode("/root/*"); XmlElement expressionEl = queryDoc.CreateElement(expressionElTemp.Name); expressionEl.InnerXml = expressionElTemp.InnerXml;   Below are the main steps in the component logic. The first “if” checks if the actual query doesn’t contains a “Where” clause. In case there’s no “Where” we add it and append the expression.   In case that there’s already a “Where” clause, we get the entire statement that’s inside the “Where” and reorder the query removing and appending elements to form the correct query, that will finally filter the list.   XmlElement whereEl; if (!containerQuery.Contains("Where")) { queryDoc.FirstChild.AppendChild(queryDoc.CreateElement("Where")); queryDoc.SelectSingleNode("/Query/Where").AppendChild(expressionEl); } else { whereEl = (XmlElement)queryDoc.SelectSingleNode("/Query/Where"); if (!containerQuery.Contains("<And>") &&                 !containerQuery.Contains("<Or>"))        {              XmlElement operatorEl = queryDoc.CreateElement(GetName(logicalOperator)); XmlElement existingExpression = (XmlElement)whereEl.SelectSingleNode("/Query/Where/*"); whereEl.RemoveChild(existingExpression);                 operatorEl.AppendChild(existingExpression);               operatorEl.AppendChild(expressionEl);                 whereEl.AppendChild(operatorEl);        }        else        {              XmlElement operatorEl = queryDoc.CreateElement(GetName(logicalOperator)); XmlElement existingOperator = (XmlElement)whereEl.SelectSingleNode("/Query/Where/*");                 whereEl.RemoveChild(existingOperator);               operatorEl.AppendChild(existingOperator);               operatorEl.AppendChild(expressionEl);                 whereEl.AppendChild(operatorEl);         }  }  return queryDoc.FirstChild.InnerXml }     Finally the GetName method converts the Enum option to his string equivalent.   private static string GetName(Operators logicalOperator) {       return Enum.GetName(typeof(Operators), logicalOperator); }        This component helped our team a lot using SharePoint 2007 and modifying the queries, but now in SharePoint 2010; that wouldn’t be needed because of the incorporation of LINQ to SharePoint. This new feature enables the developers to do typed queries against SharePoint lists without the need of writing any CAML code.   Normal 0 21 false false false ES-UY X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} Post written by Sebastian Rodriguez - Portals and Collaboration Solutions @ UruIT  

  Read the article

• Are web service handler chains possible under IIS / ASP.NET

  - by Mike

  I'm working with a client who wants me to implement a particular design in an IIS/ASP.NET environment. This design was already implemented in Java, but I am not sure it is possible using Microsoft technologies. In a Tomcat/Java environment one can create so call Handler Chains. In essence a handler runs on the server on which the web service is running and it intercepts the SOAP message coming to the web service. The handler can perform a number of tasks before passing control to the web service. Some of these tasks may refer to authentication and authorization. Moreover, one can create handler chains, such that the handlers can run in a particular sequence before passing control to the web service. This is a very elegant solution, as certain aspects of authentication and authorization can be automatically performed, without the developer of the client application and of the web service having to invest anything in it. The code for the client application and the web service is not affected. You may find a number of articles on internet on this subject by searching on Google for "web service handler chain". I performed searches for web service handlers in IIS or ASP.NET. I get some hits, but apparently handlers in IIS have another meaning than that described above. My question therefor is: Can handler chains (as available in Java and Tomcat) be created in IIS? If so, how (any article, book, forum...)? Either a negative or a positive answer will be greatly appreciated. Mike

  Read the article

< Previous Page | 51 52 53 54 55 56 57 58 59 60 61 62  | Next Page >