security

问题 I'm writing a JavaFX2 application that accepts arbitrary code to be loaded from remote locations. For me using a custom SecurityManager, ClassLoader and ProtectionDomain was the way to go. Unfortunately this seems to be the same setup that's used to sandbox applets, which has caused a lot of security exploits and that in turn has persuaded people to fear Java Web Plugin and removing it from their OS entirely. Is Java sandbox a secure environment to run untrusted code onto, or is it just the

问题 I want to know how can I detect if the user is already logged in or not? using a cookie. I am not using any log-in control. I have a db which checks the ID and PWD. Also pls let me know if it can be done without using cookies. Any code or links will help. web.config: <authentication mode="Forms"> <forms name="myForm" loginUrl="LogIn.aspx" path="/" defaultUrl="Home.aspx"> </forms> </authentication> <authorization> <deny users="?"/> </authorization> Thanks 回答1: In asp.net using windows / forms

问题 I want to know how can I detect if the user is already logged in or not? using a cookie. I am not using any log-in control. I have a db which checks the ID and PWD. Also pls let me know if it can be done without using cookies. Any code or links will help. web.config: <authentication mode="Forms"> <forms name="myForm" loginUrl="LogIn.aspx" path="/" defaultUrl="Home.aspx"> </forms> </authentication> <authorization> <deny users="?"/> </authorization> Thanks 回答1: In asp.net using windows / forms

问题 I have an interesting project requirement where we must accept a token as a GET paramenter that will authenticate a user coming into an application. This is to allow trusted third parties to seamlessly send a user over to our site without having to make them log in again. An example might be: http://www.myproj.com/appName/index.jsf?user_token=asdf123randomstuffaf12fsaasdf appName would be the context root, and user_token would be a token that could be checked. The token will be used once,

问题 On an https website, I'm trying to load randomly submitted URLs into an iframe, allowing the user to see that website embedded in my own user interface. As long as the remote url is https (like my own site), and the remote server doesn't explicitly block itself from being embedded in iframes, the website displays fine within the iframe. I know how to create a server-side script that can pre-detect if the iframe will be blocked due to the 3rd party's intentional iframe-blocking. However, there

问题 I've been struggling for 2 days now on how to secure a REST API without user authentification. What does it mean ? In my AngularJS application I identify an user by sending a GET request to an existing service (companydomain/userinfo) which I must use. I'm not sure how this work since I am not the author of this piece of code but the point is that I get the information about the user in the response as JSON (active directory name, phone in the company...). This is all I have to identify an

问题 I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My "problem" is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example ... Contoller public ActionResult Test() { return View(); } View @using (Html.BeginForm()) { @Html

问题 I'm aware of the possibility to mark untrusted objects as tainted, but what's the underlying purpose and why should I do it? 回答1: It used to be a pretty standard practice when writing CGIs in Perl. There is even a FAQ on it. The basic idea was that the run time could guarantee that you did not implicitly trust a tainted value. 回答2: One tracks taint as a security precaution, in order to ensure that untrusted data isn't mistakenly used for calculations, transactions, or interpreted as code.

问题 Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. This was a major issue for me for obvious reasons. Mainly because mysql database details were exposed. I am now trying to change the way in which my php files get the login information for the database so that this will never happen again even if the hosting company fail me. my current set up looks like this : include 'info.php'; class Login { var $host; var $username; var

问题 I'm currently doing some research about ARM's TrustZone, e.g. here: ARM information center. As far as I understand, with TrustZone a secure environment based on the AMBA AXI bus can be created. On ARM website it says: "This concept of secure and non-secure worlds extends beyond the processor to encompass memory, software, bus transactions, interrupts and peripherals within an SoC." I read that peripherals can be connected to TrustZone via the N on S ecure-bit of the AMBA AXI bus (The extra