security

问题 In my Flash app, I'm connecting to my server like this: Security.loadPolicyFile("xmlsocket://example.com:12860"); socket = new Socket("example.com", 12869); socket.writeByte(...); ... socket.flush(); At port 12860 I'm running a socket policy server, which (according to this document) correctly serves up my policy like this: 00000000 3c 70 6f 6c 69 63 79 2d 66 69 6c 65 2d 72 65 71 <policy- file-req 00000010 75 65 73 74 2f 3e 00 uest/>. 00000000 3c 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f

问题 I am wondering how one can attack the problem of denying *.groovy files the ability to reference and make use of certain classes that i pick. One approach is of course to install a security manager and classloader to block attempts toload or execute certain methods on certain classes eg java.io.File. This however of course from what i can imagine not affect interpretted mode as no class is ever generatd or loaded by the classloader. Ideally i would like the equivalent of class verifying but

问题 I am creating a website which until now is pure PHP. I was thinking that since very few people do not have JavaScript enabled (which I wonder why!) maybe I should create my website as a fully PHP site without any AJAX. Am I thinking wrong? Just to be sure, if I implement some AJAX would it increase the risk of my site getting breached? Should I be even worried about this and start using AJAX? 回答1: AJAX itself will not increase or decrease the security of your site, at least if its

问题 I have some question about the facebook apps secure canvas URL. For the facebook apps secure canvas URL or secure page tab URL, does it require a specific kind of SSL Certificates, or any kind of them is fine?? As I am using one domain to host all things in different apps, is it fine for different apps using the same security domain? For example, if I bought a SSL for my domain, let's say it is http://abc.com. What I need to type in the secure canvas URL box is https://abc.com, right? Do I

问题 I have questions regarding the best way to secure the authentication of users. I have come across a web application that encrypts the user password in the back end . However this encryption is done with the same key to all passwords. Also, this key is "hardcoded" in the back end. They (the app developers) claim that this is perfectly secure. However I have my doubts. I believe that this method can cause two problems: The reason to encrypt passwords is to avoid access to the passwords in the

问题 Is it possible to set the expiration date of a Provisioning Profile? I am having an internal trial within the company and I would like to set the expiration date to be the end of the trial; instead of just being a year from the creation date. Is it possible or is it always going to be one year from the creation date? Also, if its not possible to set the expiration date, is it possible to kill the provisioning profile from the portal that way the application itself will expire and not be able

问题 My first question is, I've heard that hashing the string 2 times (e.g. sha1(sha1(password)) ), because the second hash has a fixed length, is it true?? My the second question is, which is safer? (var1 and var2 are 2 strings): sha1(var1 + sha1(var2)) sha1(var1 + var2) If it is the 1st one, is it worth the performance cost? 回答1: By hashing the string twice, you are increasing the risk of collisions, which is bad security-wise. Instead of having an infinite amount of inputs leading to 2 128

问题 I'm trying to find if there's a good way to prevent CSRF on a javascript widget embedded on customers' websites. The widget would enable end users to make requests against our customers' accounts via JSONP to a a PHP server which proxies those requests to our (non-public) API. To this point, I haven't come up with a surefire way to ensure all requests are coming from only our customers' websites. Some ideas I've had: Tokens generated on the server side and passed back along with each

问题 I have a webapp which has angularJS on the frontend and Java on the backed. Angular communicates with the java backend via Restful webservices consuming and sending JSON across HTTP. I need to build the authentication mechanism for this app and was wondering how would be the best approach, currently I'm using JAAS based authentication (JDBC user table). This is how my app is configured: My web.xml configuration has: <login-config> <auth-method>FORM</auth-method> <realm-name>userauth</realm

问题 Platform: ASP.NET 4.0 MVC 4 C# jQuery Here's what I want to do. I'm building a simple forum for my product. I want to give users a text area to enter their posts or comments. I'd like to allow basic text formatting HTML and links - like p, a, b, i Don't want any other html styling - i.e. div, span, etc. etc. Don't want any scripting access Is there a clever way to do this? I could, for e.g., allow unsafe text and examine it on the server side but I doubt I'd be able to clean it up correctly