security

问题 I'm looking for a java argument (or perhaps some different method) to allow me to specify a file to be used by the JVM as the java.security file, rather than using the one found in the JDK (in the JRE lib). To give you a little more context, I am working with a WebLogic server that was set up by someone else and is running two (or more) different JVMs off the same JDK. We have run into an issue now where the work I'm doing on one JVM requires a different java.security file than the one that

问题 How do I create a random password that meets the system's length and character set requirements in Java? I have to create a random password that is 10-14 characters long and has at least one uppercase, one lowercase, and one special character. Unfortunately, some special characters are too special and cannot be used, so I cannot use just printed ASCII. Many of the examples on this site generate a random password or session key without enough entropy in the characters or without realistic

问题 I am trying to read an X509 certificate using Request.ClientCertificate but nothing is returned. The certificate is definitely being attached to the request because I can get the certificate information from the page sending the request. I have tried reading the certificate from several different places but cannot seem to get it to work. I started with code from this KB Article. In the requested page I tried to print out some information about the certificate but nothing was returned in the

问题 Are there generally accepted tactics for protecting Django applications against this kind of attack? 回答1: django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit. 回答2: You can: Keep track of the failed login attempts and block the attacker after 3 attempts. If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts. You can also increase the time between login attempts after eached

问题 Are there generally accepted tactics for protecting Django applications against this kind of attack? 回答1: django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit. 回答2: You can: Keep track of the failed login attempts and block the attacker after 3 attempts. If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts. You can also increase the time between login attempts after eached

问题 I've read a bit about it at http://oauth.net/ , it's "a simple way to publish and interact with protected data" apparently. I think it's exactly what I need to provide a secure way of accessing data from an android/iphone app via a REST web service, but I can't work out exactly what it is. So, put simply, what exactly does it do and are there any (really) simple examples of it in action I can follow, preferably implementing something in c# that can be accessed from a smartphone app? 回答1: From

问题 So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive". The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidated at logout. Also on every page I check if the attribute is present. I also specify that pages should not be cached in their head tags. Despite this users

问题 OK, here's a scenario: Bob logs into mysite.com, which uses .NET forms authentication, and ticks 'remember me'. Eve steals Bob's laptop Bob gets a new laptop, and changes his password. Now at this point, Eve has a stolen laptop, which has a persistent cookie stored on it, that will log her in to mysite.com as Bob - and, as far as I can tell, this will work even after Bob has changed his password . By default, the forms authentication cookie doesn't contain Bob's password (whether plaintext,

问题 I don't want someone keep F5 my site or using some tool to request the page frequently. That is to say, prevent an Action or the Controller to be invoked frequently by one client. How can I implement this? Is there any package I can use? just like AntiXSS library. 回答1: Most of these features are going to be found in the IIS manager. Something like Dynamic IP Restrictions should help. Read through Microsoft's Best Practices for Preventing DoS/Denial of Service Attacks, this provides a good

问题 My understanding is that a salt is not intended to be secret, it is merely intended to be different from any centralized standard so that you can't develop a rainbow table or similar attack to break all hashes that use the algorithm, since the salt breaks the rainbow table. My understanding here might not be completely correct, so correct me if I'm wrong. In a widely-used piece of open-source software, the salt would be widely known, and this opens you up to attacks because now they can