security

问题 In a RESTful API that uses S3-style authentication, the API client signs the request with his secret key using HMAC-SHA1, so the secret key is never transmitted over the wire. The server then authenticates the client by using that client's secret key to repeat the signature process itself and compare the result to the signature transmitted by the client. This is all nice and good but it means the the server requires access to the plaintext of the client's shared secret. That flies in the face

问题 My company currently develops a Java web application. A couple of our clients have internal SAML servers (identity providers?) and have requested that we integrate with them. So recently I've been reading up on it and playing around with OpenAM. After about 3 days of this, I have a general understanding of it, but there are still some gaps in my knowledge. My hope is that someone can clear this up for me. So here's how I imagine the workflow of a user logging in. Let's define our customers

问题 I'm doing a little application that requires to login first. But for some 3rd party tool, I want to provide an API that doesn't require login. The login itself works fine, the API itself works, but I can't figure out how to tell Spring Security, that the API can be accessed without the need of authentication. I checked several topics here and on other websites and tried different versions, but none worked. Everytime I try to access the API, I get forwarded to the login form and have to login

问题 I have the following code: @Ajax.ActionLink("Delete", "Delete", new { id = item.ID, RequestVerificationToken=*What comes here?*}, new AjaxOptions { HttpMethod = "POST", UpdateTargetId = "formsIndex" }) I want to add the verification token to the link without using javascript in client side, it seems like a redundant dependancy since i already own that value in server. Is there a proper way to do that? 回答1: From the MSDN documentation (my emphasis) HtmlHelper.AntiForgeryToken Method Generates

问题 I have the following code: @Ajax.ActionLink("Delete", "Delete", new { id = item.ID, RequestVerificationToken=*What comes here?*}, new AjaxOptions { HttpMethod = "POST", UpdateTargetId = "formsIndex" }) I want to add the verification token to the link without using javascript in client side, it seems like a redundant dependancy since i already own that value in server. Is there a proper way to do that? 回答1: From the MSDN documentation (my emphasis) HtmlHelper.AntiForgeryToken Method Generates

问题 I'm modifying my WCF API to include a new service that should be exposed to internal IP addresses only. All of the services in my API are available in SOAP, POX and JSON. What I'm looking for is a behavior or something that allows me to implement a simple IP address filter, to process requests from internal IP's and deny everything else. I'd like it to work in configuration, because all the other services in the API should remain available to the Internet. I did some googling but can't find

问题 I'm modifying my WCF API to include a new service that should be exposed to internal IP addresses only. All of the services in my API are available in SOAP, POX and JSON. What I'm looking for is a behavior or something that allows me to implement a simple IP address filter, to process requests from internal IP's and deny everything else. I'd like it to work in configuration, because all the other services in the API should remain available to the Internet. I did some googling but can't find

问题 There's a SecureZeroMemory() function in WinAPI that is designed for erasing the memory used for storing passwords/encryption keys/similar stuff when the buffer is no longer needed. It differs from ZeroMemory() in that its call will not be optimized out by the compiler. Is it really so necessary to erase the memory used for storing sensitive data? Does it really make the application more secure? I understand that data could be written into swapfile or into hibernation file and that other

问题 I have created a web service API and it's architecture is such that the server requires a client to sign the request along with a secret key assigned to it (signature is always different between multiple requests). Server matches the client's signature with its own computed signature. If they are a match then the server returns the response. I am wondering if a client should check the response coming back from the server to see if it's from the same application to which the request was made.

问题 I have audio files saved in a folder on my server. They are called by JQuery JPlayer to be played. However if a person looks at the source of the page, they can find the location of the file and simply download it. I want to protect the files from being downloadable, but still allow JPlayer to play them. Is this possible? I have tried denying the folder with .htaccess as well as password protecting the folder, but this prevents JPlayer from being able to play the files. 回答1: It's impossible