security

问题 Suppose I have a server storing encrypted text (end-to-end: server never sees plain text). I want to be able to do full text search on that text. I know this is tricky, but my idea is to use the traditional full text design ("list" and "match" tables where words are stored and matched with ids from the content table). When users submit the encrypted text, they also send a salted MD5 of the words and respective matches. The salt used is unique for each user and is recovered from their password

问题 I am relatively new to the Spring Framework and Spring security. I have used a custom authentication scheme, HTML: <form action="j_spring_security_check"> <input type="text" name="j_username" value="abc"/> <input type="text" name="j_password" value="abc"/> <input type="text" name="myCustom1" value="pqr"/> <!-- maybe type="hidden" --> <input type="text" name="myCustom2" value="pqr"/> <!-- maybe type="hidden" --> </form> and the corresponding code: public class CustomAuthenticationProvider

问题 I know this is a duplicate question Codeigniter/PHP sessions security question but sorry to tell all measure recommended there failed in my case and that is the reason why I am repeating this question and that question asked in 2011 and now its answers will be outdated. So please don't duplicate it. In my scenario I enabled $config['sess_driver'] = 'database'; and $config['sess_match_ip'] = TRUE; in config file. I also put csrf token and XSS filtering in my authentication form and always use

问题 Hi I am beginner in Java security, i encounter the following issue, when calling : Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); I got the error : java.lang.ClassCastException: com.sun.crypto.provider.RSACipher cannot be cast to javax.crypto.CipherSpi There are 5 more jars file for a payment gateway encryption in my war file: cryptix-jce-api.jar cryptix-jce-provider.jar cryptix-message-api.jar cryptix-openpgp-provider.jar cryptix-pki-api.jar Without these 5 JAR files then the

问题 I'm trying to implement a "secure" broadcast receiver which only receives broadcasts from a specific app. This is because I want to make a plugin to my app which triggers actions via broadcasts. As this actions are (partly) sensible it would be nice to check if the sender is really my application. As far as I have seen it's impossible to check the sender package?? Would it be secure to define a custom permission for that? If yes, how can I do this? What other possibilities are there to

问题 The SSL / TLS handshake between a "Java 1.7 TLS 1.1 server" and a "Java 1.8 client" fails in my environment with the following exception on the server side: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips Following are the details of the server and the client in my environment: Server: The server uses Java 1.7u45 and is running in FIPS 140 compliant mode as mentioned in http://docs.oracle.com/javase/7/docs/technotes/guides

问题 I am creating a login-function on my website, and I am thinking about regenerating the session ID on every page to make things more secure. I have read PHP:s information about regenerate_id but the posts on the PHP page are quite different from the information they provide about session_regenerate_id. Could somebody explain these two questions: Do I need to copy the old session data into the newly generated one, or is this done automatically? Code examples are very much appreciated... How do

问题 I've recently switched to environment based application deployments for Laravel and I've decided to store credentials for my local and production server in .env files using $_ENV however I've discovered when debugging is turned on and an exception is thrown the error displays the environment variables exposing database credentials. Now I'm certain debugging will always be off on production because that's what I have it default to, then I override it in a local folder for my local environment

问题 im a total beginner in web programming. Im trying to create a simple website that is reading data from a SQL Database. At first i just wrote my database password and login directly into the php code: <?php $username = "login"; $password = "pw"; mysql_connect("server", $username, $password); ... ?> This obviously isn't a very good idea! So what is a (much) more "secure" way to do this? I read about putting the php code into a seperate file, meaning not into the main php document of the website

问题 I am looking into building an authentication in my ASP.NET application with the following requirements. A user has exactly one Role (i.e. Admin, SalesManager, Sales, ....) A role has a set of permissions to CRUD access a subset of existing objects. I.e. "Sales has CREAD, READ, WRITE permission on object type "Products" but not DELETE" Somehow I like the permissions to be in a hierarchy with inheritance so that I for i.e. Admin don't need to specify all available objects. The system must