Search Results

Search found 21071 results on 843 pages for 'account security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 67/843 | < Previous Page | 63 64 65 66 67 68 69 70 71 72 73 74  | Next Page >

  • Is canvas security model ignoring access-control-allow-origin headers?

    - by luklatlug
    It seems that even if you set the access-control-allow-origin header to allow access from mydomain.org to an image hosted on domain example.org, the canvas' origin-clean flag gets set to false, and trying to manipulate that image's pixel data will trigger a security exception. Shouldn't canvas' obey the access-control-allow-origin header and allow access to image's data without throwing an exception?

    Read the article

  • ASP.NET Security Exception when Switch IIS7 to Use UNC Path for Content

    - by Jeremy H.
    I have a Windows Server 2008 R2 box running IIS7.5 with Medium Trust configured for ASP.NET. When I have the website running from local content (e.g.: c:\inetpub\wwwroot) everything works fine. When I change IIS to use a UNC path for the content (e.g.: \\computer\wwwroot) I get the following error: Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. I'm trying to figure out why ASP.NET/IIS would allow for the SQL call when using local content but not when using a UNC path. Any ideas what I need to do to use a UNC path from IIS7 properly?

    Read the article

  • ASP.NET Security Exception when Switch IIS7 to Use UNC Path for Content

    - by Jeremy H.
    I have a Windows Server 2008 R2 box running IIS7.5 with Medium Trust configured for ASP.NET. When I have the website running from local content (e.g.: c:\inetpub\wwwroot) everything works fine. When I change IIS to use a UNC path for the content (e.g.: \\computer\wwwroot) I get the following error: Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. I'm trying to figure out why ASP.NET/IIS would allow for the SQL call when using local content but not when using a UNC path. Any ideas what I need to do to use a UNC path from IIS7 properly?

    Read the article

  • Chrome shows "The site's security certificate is not trusted" error

    - by Emerald214
    From this morning I get this error whenever I access Google Docs and some websites. My system datetime is correct and I checked "Automatically from the Internet". My BIOS is OK. I cleared everything (cache, cookie, private data) in Chrome and restarted OS but nothing changes. How to fix it? Firefox works but Chrome has that problem. The site's security certificate is not trusted! You attempted to reach docs.google.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You cannot proceed because the website operator has requested heightened security for this domain.

    Read the article

  • Norton Security Suite Symantec Download Manager Error: "Error writing to disk"

    - by Stephen Pace
    My broadband provider (Comcast) decided to switch their 'included with service' security suite from McAfee to Norton Security Suite. Their email directed me to a site that downloaded the Symantec Download Manager (NortonDL.exe) and that went fine. I'm running Windows 7 32-bit and running this application pops up the standard User Account Control message and the software is correctly identified as coming from Symantec. I answer 'yes' to allow the software to install and upon launch immediately get an "Error writing to disk" error. I searched the Internet for this error, but mainly I find Comcast users complaining about the same issue with no resolution other than to call Symantec. I found no one suggesting a successful workaround and it appeared that most of the support calls took up to three hours. I'd like to avoid that if possible. Ideas? To be honest, I'm getting close to bagging this installation and just moving to Microsoft Security Essentials.

    Read the article

  • Oracle Advanced Security Options is Blank

    - by mak4pi
    I just installed Oracle DB 10gR2 with Oracle Advanced Security, but cannot see the algorithms. [user@db-1] adapters Installed Oracle Net transport protocols are: IPC BEQ TCP/IP SSL RAW Installed Oracle Net naming methods are: Local Naming (tnsnames.ora) Oracle Directory Naming Oracle Host Naming Oracle Names Server Naming Installed Oracle Advanced Security options are: Where are all the algorithms for Oracle Advanced Security options please? I checked the $ORACLE_HOME/bin/adapters file and it's looking for naea256i, naemd5i, etc. in the naetab.so file, but none of these are listed in the naetab.so file. What's wrong with the naetab.so file? Thanks.

    Read the article

  • Security Audit Failures in Event Viewer Windows Server 2008R2

    - by Jacob
    When I am looking at the security tab of my event viewer on a Windows Server 2008 R2, I am showing a ton of Audit Failures with Event ID 4776. The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: randy Source Workstation: HPDB1 Error Code: 0xc0000064 I verified the account "randy" exist in my Active Directory. From my understanding, there has not been any recent password changes. Is there any way to get detailed information on this error? I am wondering what program is requesting this information. Also, is there any way to clear this error up? I was thinking about resetting the password and changing it back to the original.

    Read the article

  • Security Issue with Active Directory

    - by Will McCloskey
    The retard who was on the built-in Administrator login somehow (and this is what I'm guessing being as he is not here and I was not present when this occurred - Supposedly it was an "ACCIDENT") Denied the built-in Administrator account and every other account except for his personal one access to our domain - ie "Example.net" not just active directory or anything. I've been trying for literally 2 hours to find some sort of way to take control of the domain through the built-in Admin account with no success; I can't even open Active Directory. I'm not aloud to open DSA.MSC and there's no way for me to take ownership. Any ideas?

    Read the article

  • View Security Server and Direct Connection

    - by Poort443
    I have a Security Server for my connections from the Internet. This works fine, accept when I enable "Direct Connection to the desktop". I found the following statement on this: If you bypass the secure connection, the client must establish a direct RDP communication to the desktop virtual machine over RDP (port 3389). Does this mean I have to open 3389 (RDP) to the Internet if I want to use Direct Connections? If I disable Direct Connections to get my Security Server working, I have to disable it on my Connection Server. It's my understanding that this means that if I reboot my Connection Server, all the View clients get disconnected. Is there a way I can disable "Direct Connections" for the Security Server, while enabling it for access from the LAN? Tia.

    Read the article

  • SharePoint Web Part Constructor Fires Twice When Adding it to the Page (and has a different security

    - by Damon
    We had some exciting times debugging an interesting issue with SharePoint 2007 Web Parts.  We had some code in staging that had been running just fine for weeks and had not been touched or changed in about the same amount of time.  However, when we tried to move the web part into a different staging environment, the part started throwing a security exception when we tried to add it to a page.  After a bit of debugging, we determined that the web part was throwing the exception while trying to access the SPGroups property on the SharePoint site.  This was pretty strange because we were logged in as an admin and the code was working perfectly fine before.  During the debugging process, however, we found out that the web part constructor was being fired twice.  On one request, the security context did not seem to have everything it needed in order to run.  On the other request, the security context was populated with the user context with the user making the request (like it normally is).  Moving the security code outside of the constructor seems to have fixed the issue. Why the discrepancy between the two staging environments?  Turns out we deployed the part originally, then deployed an update with the security code.  Since the part was never "added" to the page after the code updates were made (we just deployed a new assembly to make the updates), we never saw the problem.  It seems as though the constructor fires twice when you are adding the web part to the page, and when you run the web part from the web part gallery.  My only thought on why this would occur is that SharePoint is instantiating an instance to get some information from it - which is odd because you would think that would happen with reflection without requiring a new object.  Anyway, the work around is to just not put anything security related inside the constructor, or to do a good job accounting for the possibility of the security context not being present if you are adding the item to the page. Technorati Tags: SharePoint,.NET,Microsoft,ASP.NET

    Read the article

  • YouTube API Security Error Flex

    - by 23tux
    Hi, I've tried to use the YoutTube API within a Flex project. But i got this error: *** Security Sandbox Violation *** SecurityDomain 'http://www.youtube.com/apiplayer?version=3' tried to access incompatible context 'file:///Users/YouTubePlayer/bin-debug/YouTubePlayer.html' Here are the two files: <?xml version="1.0" encoding="utf-8"?> <s:Application xmlns:fx="http://ns.adobe.com/mxml/2009" xmlns:s="library://ns.adobe.com/flex/spark" xmlns:mx="library://ns.adobe.com/flex/halo" minWidth="1024" minHeight="768" xmlns:youtube="youtube.*" creationComplete="init();"> <fx:Script> <![CDATA[ [Bindable] private var ready:Boolean = true; private function init():void { Security.allowInsecureDomain("*"); Security.allowDomain("*"); Security.allowDomain('www.youtube.com'); Security.allowDomain('youtube.com'); Security.allowDomain('s.ytimg.com'); Security.allowDomain('i.ytimg.com'); } private function changing():void { /* trace("currentTime: " + player.getCurrentTime()); trace("startTime: " + player.startTime); trace("stopTime: " + player.stopTime); timeSlider.value = player.getCurrentTime() */ } private function startPlaying():void { player.play(); } private function checkStartSlider():void { if(startSlider.value > stopSlider.value) stopSlider.value = startSlider.value + 1; } private function checkStopSlider():void { if(stopSlider.value < startSlider.value) startSlider.value = stopSlider.value - 1; } ]]> </fx:Script> <s:VGroup> <youtube:Player id="player" videoID="DVFvcVuWyfE" change="changing();" ready="ready=true"/> <s:HGroup> <s:Button label="play" click="startPlaying();" /> </s:HGroup> <s:HGroup> <s:HSlider id="timeSlider" width="250" minimum="0" maximum="{player.stopTime}" snapInterval=".01" enabled="{ready}"/> <s:Label id="currentTimeLbl" text="current time: 0" /> </s:HGroup> <s:HGroup> <s:HSlider id="startSlider" width="250" minimum="0" maximum="{player.stopTime}" snapInterval=".01" change="checkStartSlider();" enabled="{ready}" value="0"/> <s:Label id="startTimeLbl" text="start time: {player.startTime}" /> </s:HGroup> <s:HGroup> <s:HSlider id="stopSlider" width="250" minimum="0" maximum="{player.stopTime}" snapInterval=".01" change="checkStopSlider();" enabled="{ready}" value="{player.stopTime}"/> <s:Label id="stopTimeLbl" text="stop time: {player.stopTime}" /> </s:HGroup> </s:VGroup> </s:Application> Here is the player package youtube { import flash.display.Loader; import flash.events.Event; import flash.events.TimerEvent; import flash.net.URLRequest; import flash.system.Security; import flash.utils.Timer; import mx.core.UIComponent; [Event(name="change", type="flash.events.Event")] [Event(name="ready", type="flash.events.Event")] public class Player extends UIComponent { private var player:Object; private var loader:Loader; private var _startTime:Number = 0; private var _stopTime:Number = 0; private var _videoID:String; private var metadataTimer:Timer = new Timer(200); private var playTimer:Timer = new Timer(200); public function Player() { // The player SWF file on www.youtube.com needs to communicate with your host // SWF file. Your code must call Security.allowDomain() to allow this // communication. Security.allowInsecureDomain("*"); Security.allowDomain("*"); // This will hold the API player instance once it is initialized. loader = new Loader(); loader.contentLoaderInfo.addEventListener(Event.INIT, onLoaderInit); loader.load(new URLRequest("http://www.youtube.com/apiplayer?version=3")); } private function onLoaderInit(event:Event):void { addChild(loader); loader.content.addEventListener("onReady", onPlayerReady); loader.content.addEventListener("onError", onPlayerError); loader.content.addEventListener("onStateChange", onPlayerStateChange); loader.content.addEventListener("onPlaybackQualityChange", onVideoPlaybackQualityChange); } private function onPlayerReady(event:Event):void { // Event.data contains the event parameter, which is the Player API ID trace("player ready:", Object(event).data); // Once this event has been dispatched by the player, we can use // cueVideoById, loadVideoById, cueVideoByUrl and loadVideoByUrl // to load a particular YouTube video. player = loader.content; // Set appropriate player dimensions for your application player.setSize(0, 0); } private function onPlayerError(event:Event):void { // Event.data contains the event parameter, which is the error code trace("player error:", Object(event).data); } private function onPlayerStateChange(event:Event):void { // Event.data contains the event parameter, which is the new player state trace("player state:", Object(event).data); } private function onVideoPlaybackQualityChange(event:Event):void { // Event.data contains the event parameter, which is the new video quality trace("video quality:", Object(event).data); } [Bindable] public function get videoID():String { return _videoID; } public function set videoID(value:String):void { _videoID = value; } [Bindable] public function get stopTime():Number { return _stopTime; } public function set stopTime(value:Number):void { _stopTime = value; } [Bindable] public function get startTime():Number { return _startTime; } public function set startTime(value:Number):void { _startTime = value; } public function play():void { if(_videoID!="") { player.loadVideoById(_videoID, 0); // add the event listener, so that all 200 milliseconds is an event dispatched metadataTimer.addEventListener(TimerEvent.TIMER, metadataTimeHandler); // if the timer is running, stop and reset it if(metadataTimer.running) metadataTimer.reset(); else metadataTimer.start(); } } private function metadataTimeHandler(e:TimerEvent):void { if(player.getDuration() > 0) { startTime = 0; stopTime = player.getDuration(); metadataTimer.reset(); metadataTimer.stop(); metadataTimer.removeEventListener(TimerEvent.TIMER, metadataTimeHandler); player.playVideo(); playTimer.addEventListener(TimerEvent.TIMER, playTimerHandler); dispatchEvent(new Event("ready")); } } private function playTimerHandler(e:TimerEvent):void { if(getCurrentTime() > _stopTime) { seekTo(startTime); } dispatchEvent(new Event(Event.CHANGE)); } public function getCurrentTime():Number { if(!player.getCurrentTime()) return 0; else return player.getCurrentTime(); } public function seekTo(time:uint):void { player.seekTo(time); } } } Hope someone can help. thx, tux

    Read the article

  • Outlook express 6 crashes after "synchonizing account"

    - by Ira Baxter
    [EDIT: Revised OE version to match reality] I use Outlook Express (OE) 6.00.3790.3959 to read newsgroups. I regularly scan through about 100 newsgroups. When I select a newsgroup, and then select "synchronize account", OE goes through the newsgroups visibly updating the unread message count. It gets apparantly to the end, and then comes back to check for Watched Conversations, of which I typically have a few scattered across the newsgroups. It invariably crashes with some kind of access fault. A dialog box pops up saying "Want to debug with "; I invariable say No, and the process goes away. I restart OE, select the newsgroup, and skip "Synchronize Account"; I am able to read news and everything seems just fine. This behavior has occurred since I set it up several months ago. Is the newsgroups database screwed up? Can I run something like CHKDSK or Outlooks PST repair to fix things up? Any suggestions as to what to do? The system is Windows XP 64 system installed in January 2008. I accept Windows Updates and install them on a regular basis. I use Outlook (not OE) for regular email an it behaves perfectly normally.

    Read the article

  • Cannot remove storage account because of lease, but I already deleted the server [closed]

    - by djechelon
    I recently created a temporary virtual server on Azure. Then I deleted it. I wanted to delete the storage account associated with it because I didn't need it any more. The problem is that the VHD file is still associated to a non-existing virtual machine!! If I try to delete the VHD from Virtual Machines\Disks I get the Delete button greyed and the table tells me it's still associated with the old VM. If I go to storage administration and try to delete the blob from vhds/ directory I get there is an active lease. I've read on Azure forums that, in these case, one should try to force releasing the lease from the blob. I followed their instructions and downloaded their script, but running it failed. The script detected that the disk is associated to a Virtual Machine and can't be deleted. The problem is that I'm 1000000% sure that I already deleted the VM. In fact, I currently only have a single VM that has its own HD and is up and running fine! What can I do to delete that storage account that is probably sucking money from my pocket?

    Read the article

  • Creating multiple SFTP users for one account

    - by Tom Marthenal
    I'm in the process of migrating an aging shared-hosting system to more modern technologies. Right now, plain old insecure FTP is the only way for customers to access their files. I plan on replacing this with SFTP, but I need a way to create multiple SFTP users that correspond to one UNIX account. A customer has one account on the machine (e.g. customer) with a home directory like /home/customer/. Our clients are used to being able to create an arbitrary number of FTP accounts for their domains (to give out to different people). We need the same capability with SFTP. My first thought is to use SSH keys and just add each new "user" to authorized_keys, but this is confusing for our customers, many of whom are not technically-inclined and would prefer to stick with passwords. SSH is not an issue, only SFTP is available. How can we create multiple SFTP accounts (customer, customer_developer1, customer_developer2, etc.) that all function as equivalents and don't interfere with file permissions (ideally, all files should retain customer as their owner)? My initial thought was some kind of PAM module, but I don't have a clear idea of how to accomplish this within our constraints. We are open to using an alternative SSH daemon if OpenSSH isn't suitable for our situation; again, it needs to support only SFTP and not SSH. Currently our SSH configuration has this appended to it in order to jail the users in their own directories: # all customers have group 'customer' Match group customer ChrootDirectory /home/%u # jail in home directories AllowTcpForwarding no X11Forwarding no ForceCommand internal-sftp # force SFTP PasswordAuthentication yes # for non-customer accounts we use keys instead Our servers are running Ubuntu 12.04 LTS.

    Read the article

  • Outlook 2010 IMAP account - send on behalf

    - by Master of Celebration
    So I was looking for a possibility to manage the mail distribution of online shops, newsfeeds, etc. and have a nice solution via distribution groups aka. alias addresses. In example, I register an account on eBay using "[email protected]" (where org.com is my company obviously). That address is an alias and can be managed on my on-premise mail server setting destination to somebody's mailbox independent from logging on to eBay - in case somebody else shall do the eBay-stuff, I can quick change the destination of that alias :-) So far, so good - and now to the problem: Using Microsoft Outlook 2010 and an IMAP account on our mail server, I cannot figure out how to remove that "on behalf of"-string visible in the from-field when sending a message under that [email protected] address. That's quite a pity, because especially eBay doesn't accept/forward mails not coming from the registered address.. Using other mail clients (e.g. Mozilla Thunderbird), the problem does not occur so I guess it's Outlook specific. I cannot "grant" permission to "send as", because that address is not a mailbox, but rather an alias only. Furthermore, the mail accounts are not Exchange, but IMAP! Does anybody have any other ideas to "remove" that annoying string? Consideration: We have to use Microsoft Outlook for some reason! :-)

    Read the article

  • Securing Flexfield Value Sets in EBS 12.2

    - by Sara Woodhull
    Release 12.2 includes a new feature: flexfield value set security. This new feature gives you additional options for ensuring that different administrators have non-overlapping responsibilities, which in turn provides checks and balances for sensitive activities.  Separation of Duties (SoD) is one of the key concepts of internal controls and is a requirement for many regulations including: Sarbanes-Oxley (SOX) Act Health Insurance Portability and Accountability Act (HIPAA) European Union Data Protection Directive. Its primary intent is to put barriers in place to prevent fraud or theft by an individual acting alone. Implementing Separation of Duties requires minimizing the possibility that users could modify data across application functions where the users should not normally have access. For flexfields and report parameters in Oracle E-Business Suite, values in value sets can affect functionality such as the rollup of accounting data, job grades used at a company, and so on. Controlling access to the creation or modification of value set values can be an important piece of implementing Separation of Duties in an organization. New Flexfield Value Set Security feature Flexfield value set security allows system administrators to restrict users from viewing, adding or updating values in specific value sets. Value set security enables role-based separation of duties for key flexfields, descriptive flexfields, and report parameters. For example, you can set up value set security such that certain users can view or insert values for any value set used by the Accounting Flexfield but no other value sets, while other users can view and update values for value sets used for any flexfields in Oracle HRMS. You can also segregate access by Operating Unit as well as by role or responsibility.Value set security uses a combination of data security and role-based access control in Oracle User Management. Flexfield value set security provides a level of security that is different from the previously-existing and similarly-named features in Oracle E-Business Suite: Function security controls whether a user has access to a specific page or form, as well as what operations the user can do in that screen. Flexfield value security controls what values a user can enter into a flexfield segment or report parameter (by responsibility) during routine data entry in many transaction screens across Oracle E-Business Suite. Flexfield value set security (this feature, new in Release 12.2) controls who can view, insert, or update values for a particular value set (by flexfield, report, or value set) in the Segment Values form (FNDFFMSV). The effect of flexfield value set security is that a user of the Segment Values form will only be able to view those value sets for which the user has been granted access. Further, the user will be able to insert or update/disable values in that value set if the user has been granted privileges to do so.  Flexfield value set security affects independent, dependent, and certain table-validated value sets for flexfields and report parameters. Initial State of the Feature upon Upgrade Because this is a new security feature, it is turned on by default.  When you initially install or upgrade to Release 12.2.2, no users are allowed to view, insert or update any value set values (users may even think that their values are missing or invalid because they cannot see the values).  You must explicitly set up access for specific users by enabling appropriate grants and roles for those users.We recommend using flexfield value set security as part of a comprehensive Separation of Duties strategy. However, if you choose not to implement flexfield value set security upon upgrading to or installing Release 12.2, you can enable backwards compatibility--users can access any value sets if they have access to the Values form--after you upgrade. The feature does not affect day-to-day transactions that use flexfields.  However, you must either set up specific grants and roles or enable backwards compatibility before users can create new values or update or disable existing values. For more information, see: Release 12.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C (Document 1589204.1) R12.2 TOI: Implement and Use Application Object Library (AOL) - Flexfields Security and Separation of Duties for Value Sets (recorded training)

    Read the article

  • WCF/MSMQ Transport Security with Certificates

    - by user104295
    Hi there, my goal is to secure the communication between MSMQ Queue Managers – I don’t want unknown clients sending messages to my MSMQ server. I have spent many hours now trying to get Transport security working for the net.msmq binding in WCF, where MSMQ is in Workgroup mode and the client and server do not have Active Directory… so I’m using certificates. I have created a new X.509 certificate, called Kristan and put it into the “Trusted people” store on the server and into the My store of Current User of the client. The error I’m getting is: An error occurred while sending to the queue: Unrecognized error -1072824272 (0xc00e0030).Ensure that MSMQ is installed and running. If you are sending to a local queue, ensure the queue exists with the required access mode and authorization. Using smartsniff, I see that there’s no attempted connection with the remote MSMQ, however, it’s an error probably coming from the local queue manager. The stack trace is: at System.ServiceModel.Channels.MsmqOutputChannel.OnSend(Message message, TimeSpan timeout) at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.OutputChannelBinder.Send(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) The code:- EndpointAddress endpointAddress = new EndpointAddress(new Uri(endPointAddress)); NetMsmqBinding clientBinding = new NetMsmqBinding(); clientBinding.Security.Mode = NetMsmqSecurityMode.Transport; clientBinding.Security.Transport.MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate; clientBinding.Security.Transport.MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign; clientBinding.ExactlyOnce = false; clientBinding.UseActiveDirectory = false; // start new var channelFactory = new ChannelFactory<IAsyncImportApi>(clientBinding, endpointAddress); channelFactory.Credentials.ClientCertificate.SetCertificate("CN=Kristan", StoreLocation.CurrentUser, StoreName.My); The queue is flagged as ‘Authenticated’ on the server. I have checked the effect of this and if I turn off all security in the client send, then I get ‘Signature is invalid’ – which is understandable and shows that it’s definitely looking for a sig. Are there are special ports that I need to check are open for cert-based msmq auth? thanks Kris

    Read the article

  • Java 7u4 webstart security exception: Class does not match trust level

    - by Glstunna
    We began to notice that with Java 7 (particularly with update 4), that all our users began to see this with our Webstart app: [14:42:58,422] AWT-EventQueue-0(DEBUG) java.lang.SecurityException: class "CLASSNAME" does not match trust level of other classes in the same package [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader$1.run(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader$1.run(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.security.AccessController.doPrivileged(Native Method) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader.findClass(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.lang.ClassLoader.loadClass(Unknown Source) [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.lang.ClassLoader.loadClass(Unknown Source)...More Where CLASSNAME = pretty much every class at random points from several jars in the app execution, breaking several behavior. If our users were to use Java 6, they have no problems! Just 7 (update 4). We sign ALL our jars, both the main application jar and it's library jars. i.e Users launching our webstart app see the blue shield instead of yellow or red. This is obviously an issue as users are more frequently now upgrading to Java 7. I have tried to force our app to use Java 6 on the user machine either by using a previous installation(works), or installing a new one....with the j2se version="1.6" tag around resources but this causes it's own problems that would probably be best to make into it's own thread (the auto-jre-installation part). Did Oracle break Webstart security with Java 7u4? How do I solve this securityexception issue?

    Read the article

  • How to set individual NTFS partitions permissions behaviour for each user account?

    - by ryniek
    I have two NTFS partitions (DOWNLOADS for downloaded files and VM for my VirtualBox .vdi file) for which i must have full permissions for my allday use account. They should be also automounting when i login to this account. But i've also set Guest account for guests. For Guest account, i want make VM partition fully disabled and invisible (and thus it mustn't automount) but DOWNLOADS partition should be shared with limited privileges with Guest account. Editing fstab i'm able to share DOWNLOADS partition with Guest on limited privileges but VM can be only set to limited and have disabled automounting - so guest can't mount it but it still can be seen in Nautilus, plus I must always mount it manually when i login to allday account. Is there some trick to make what i want? Here's my fstab config: # /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc nodev,noexec,nosuid 0 0 #Entry for /dev/sda1 : UUID=35e66658-5ee9-40cf-bf56-8204959e3df0 / xfs defaults 01 #Entry for /dev/sda2 : UUID=26c714cf-4236-45e7-9c46-cfcf91a215ae /home xfs defaults 02 #Entry for /dev/sda5 : UUID=1315BCB027C44639 /media/DOWNLOADS ntfs-3g auto,uid=1000,gid=1000,umask=0022,nodev,locale=pl_PL.utf8 0 0 #Entry for /dev/sda6 : UUID=60FF39EB72B72264 /media/VM ntfs noauto,uid=1000,gid=1000,umask=0077,nodev,locale=pl_PL.utf8 0 0 #Entry for /dev/sda7 : UUID=c52411f5-105c-45d1-971f-412f962c350e none swap sw 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0 Thanks

    Read the article

  • Interesting articles and blogs on SPARC T4

    - by mv
    Interesting articles and blogs on SPARC T4 processor   I have consolidated all the interesting information I could get on SPARC T4 processor and its hardware cryptographic capabilities.  Hope its useful. 1. Advantages of SPARC T4 processor  Most important points in this T4 announcement are : "The SPARC T4 processor was designed from the ground up for high speed security and has a cryptographic stream processing unit (SPU) integrated directly into each processor core. These accelerators support 16 industry standard security ciphers and enable high speed encryption at rates 3 to 5 times that of competing processors. By integrating encryption capabilities directly inside the instruction pipeline, the SPARC T4 processor eliminates the performance and cost barriers typically associated with secure computing and makes it possible to deliver high security levels without impacting the user experience." Data Sheet has more details on these  : "New on-chip Encryption Instruction Accelerators with direct non-privileged support for 16 industry-standard cryptographic algorithms plus random number generation in each of the eight cores: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, Kasumi, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512" I ran "isainfo -v" command on Solaris 11 Sparc T4-1 system. It shows the new instructions as expected  : $ isainfo -v 64-bit sparcv9 applications crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc 32-bit sparc applications crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc v8plus div32 mul32  2.  Dan Anderson's Blog have some interesting points about how these can be used : "New T4 crypto instructions include: aes_kexpand0, aes_kexpand1, aes_kexpand2,         aes_eround01, aes_eround23, aes_eround01_l, aes_eround_23_l, aes_dround01, aes_dround23, aes_dround01_l, aes_dround_23_l.       Having SPARC T4 hardware crypto instructions is all well and good, but how do we access it ?      The software is available with Solaris 11 and is used automatically if you are running Solaris a SPARC T4.  It is used internally in the kernel through kernel crypto modules.  It is available in user space through the PKCS#11 library." 3.   Dans' Blog on Where's the Crypto Libraries? Although this was written in 2009 but still is very useful  "Here's a brief tour of the major crypto libraries shown in the digraph:   The libpkcs11 library contains the PKCS#11 API (C_\*() functions, such as C_Initialize()). That in turn calls library pkcs11_softtoken or pkcs11_kernel, for userland or kernel crypto providers. The latter is used mostly for hardware-assisted cryptography (such as n2cp for Niagara2 SPARC processors), as that is performed more efficiently in kernel space with the "kCF" module (Kernel Crypto Framework). Additionally, for Solaris 10, strong crypto algorithms were split off in separate libraries, pkcs11_softtoken_extra libcryptoutil contains low-level utility functions to help implement cryptography. libsoftcrypto (OpenSolaris and Solaris Nevada only) implements several symmetric-key crypto algorithms in software, such as AES, RC4, and DES3, and the bignum library (used for RSA). libmd implements MD5, SHA, and SHA2 message digest algorithms" 4. Difference in T3 and T4 Diagram in this blog is good and self explanatory. Jeff's blog also highlights the differences  "The T4 servers have improved crypto acceleration, described at https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine. It is "just built in" so administrators no longer have to assign crypto accelerator units to domains - it "just happens". Every physical or virtual CPU on a SPARC-T4 has full access to hardware based crypto acceleration at all times. .... For completeness sake, it's worth noting that the T4 adds more crypto algorithms, and accelerates Camelia, CRC32c, and more SHA-x." 5. About performance counters In this blog, performance counters are explained : "Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto hardware with kstats or cryptoadm. T4 does provide hardware counters for crypto operations.  You can see these using cpustat: cpustat -c pic0=Instr_FGU_crypto 5 You can check the general crypto support of the hardware and OS with the command "isainfo -v". Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm.  " For more details refer Martin's blog as well. 6. How to turn off  SPARC T4 or Intel AES-NI crypto acceleration  I found this interesting blog from Darren about how to turn off  SPARC T4 or Intel AES-NI crypto acceleration. "One of the new Solaris 11 features of the linker/loader is the ability to have a single ELF object that has multiple different implementations of the same functions that are selected at runtime based on the capabilities of the machine.   The alternate to this is having the application coded to call getisax(2) system call and make the choice itself.  We use this functionality of the linker/loader when we build the userland libraries for the Solaris Cryptographic Framework (specifically libmd.so and libsoftcrypto.so) The Solaris linker/loader allows control of a lot of its functionality via environment variables, we can use that to control the version of the cryptographic functions we run.  To do this we simply export the LD_HWCAP environment variable with values that tell ld.so.1 to not select the HWCAP section matching certain features even if isainfo says they are present.  This will work for consumers of the Solaris Cryptographic Framework that use the Solaris PKCS#11 libraries or use libmd.so interfaces directly.  For SPARC T4 : export LD_HWCAP="-aes -des -md5 -sha256 -sha512 -mont -mpul" .. For Intel systems with AES-NI support: export LD_HWCAP="-aes"" Note that LD_HWCAP is explained in  http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html "LD_HWCAP, LD_HWCAP_32, and LD_HWCAP_64 -  Identifies an alternative hardware capabilities value... A “-” prefix results in the capabilities that follow being removed from the alternative capabilities." 7. Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing This Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing explains more details.  It has DTrace scripts which may come in handy : "To ensure the hardware-assisted cryptographic acceleration is configured to use and working with the security scenarios, it is recommended to use the following Solaris DTrace script. #!/usr/sbin/dtrace -s pid$1:libsoftcrypto:yf*:entry, pid$target:libsoftcrypto:rsa*:entry, pid$1:libmd:yf*:entry { @[probefunc] = count(); } tick-1sec { printa(@ops); trunc(@ops); }" Note that I have slightly modified the D Script to have RSA "libsoftcrypto:rsa*:entry" as well as per recommendations from Chi-Chang Lin. 8. References http://www.oracle.com/us/corporate/features/sparc-t4-announcement-494846.html http://www.oracle.com/us/products/servers-storage/servers/sparc-enterprise/t-series/sparc-t4-1-ds-487858.pdf https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine https://blogs.oracle.com/DanX/entry/where_s_the_crypto_libraries https://blogs.oracle.com/darren/entry/howto_turn_off_sparc_t4 http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html   https://blogs.oracle.com/hardware/entry/unleash_the_power_of_cryptography https://blogs.oracle.com/cmt/entry/t4_crypto_cheat_sheet https://blogs.oracle.com/martinm/entry/t4_performance_counters_explained  https://blogs.oracle.com/jsavit/entry/no_mau_required_on_a http://www.oracle.com/us/products/servers-storage/servers/sparc-enterprise/t-series/sparc-t4-business-wp-524472.pdf

    Read the article

  • How to use role-hierarchy in Spring Security 3 with Spring EL?

    - by Aleksey
    I want to use @PreAuthorize annotation on service methods with Spring Security. One of requirements is to use role-hierarchy. But by default it is not enabled. I found that in SecurityExpressionRoot class ("the base class for expression root objects") there is a property roleHierarchy. The class actually does use this property for methods like hasRole() and hasAnyRole(). I suppose that if I supply it with my own RoleHierarchy bean I will be able to use @PreAuthorize annotations with hierarchical roles. How can I inject my hierarchy bean into SecurityExpressionRoot?

    Read the article

  • additional security measures besides a login with user-password - what can you think of?

    - by Tom Tom
    I'm wondering which additional security measures one could take besides a traditional login with user and password. What do you think of this one: _manually adding a cookie to each client which includes a secret key _this cookie is not served by the webserver, it is actually copied "by hand" to each client computer _if a client connects to the web-app the server graps that cookie and if the containing secret key is ok, the traditional login box is presented where the user has to enter the user-password combination _communication between client and server is encrypted with https Thus a potential intruder would first need to get the cookie from the clients computer, which is only possible with having access to the clients computer. This would work only for a very small user-base and an admin willing to do this manual work.

    Read the article

  • Spring security annotations with EL -- requires debug information compiled in?

    - by HDave
    I am considering using Spring Security annotations for my application, with the EL (expression language) feature. For example: @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); I need the EL capability because I have built my own ACL implementation. However, to use this capability with the "#contact" type arguments, the Spring documentation says this: You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in. This begs two questions: It is acceptable to have a production application commercially distributed with debug info in it? If not, is there any way around this? Thanks for any guidance on this!

    Read the article

  • make an http post from server using user credentials - integrated security

    - by opensas
    I'm trying to make a post, from an asp classic server side page, using the user credentials... I'm using msxml2.ServerXMLHTTP to programatically make the post I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account... I made a little asp page that runs whoami to verify what account the iis process i using... with IIS 5.1, using integrated security the process uses: my_machine\IWAM_my_machine I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?) to test the user I do the following private function whoami() dim shell, cmd set shell = createObject("wscript.shell") set cmd = shell.exec( server.mapPath( "whoami.exe" ) ) whoami = cmd.stdOut.readAll() set shell = nothing: set cmd = nothing end function is it because I'm issuing a shell command? I'd like to make http post calls, to another site that works with integrated security... So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account... I thought that just setting the site to work with integrated security would be enough... How can I achieve such a thing? ps: with IIS6,happens the same but if I change the pool canfiguration I get the following info from whoami NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\SYSTEM if I set a domain account, I get a "service unavailable" message... edit: found this http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing? edit: well the whoami thing is obviously fooling me, I tried with the following function private function whoami_db( serverName, dbName ) dim conn, data set conn = server.createObject("adodb.connection") conn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _ "Initial Catalog=" & dbName & ";Data Source=" & serverName set data = conn.execute( "select suser_sname() as user_name" ) whoami_db = data("user_name") data.close: conn.close set data = nothing: set conn = nothing end function and everything seemed to be working fine... but how can I make msxml2.ServerXMLHTTP work with the user credentials???

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 63 64 65 66 67 68 69 70 71 72 73 74  | Next Page >