security

问题 I am new to Java and when learning, I came across the fact that a String is immutable. When I was reading the reason behind it, a few reasons came up, for example performance increasements, since its value cannot be modified, and it can be shared by multiple threads. These reasons I do understand. But I don't get how it is related to security. How does a String being immutable help in Java security? Please help me in understanding. Thanks in advance. 回答1: A very common practice in writing

问题 Is there anyway in Java to delete data (e.g., a variable value, object) and be sure it can't be recovered from memory? Does assigning null to a variable in Java delete the value from memory? Any ideas? Answers applicable to other languages are also acceptable. 回答1: Due to the wonders virtual memory, it is nearly impossible to delete something from memory in a completely irretrievable manner. Your best bet is to zero out the value fields; however: This does not mean that an old (unzeroed) copy

问题 Is there anyway in Java to delete data (e.g., a variable value, object) and be sure it can't be recovered from memory? Does assigning null to a variable in Java delete the value from memory? Any ideas? Answers applicable to other languages are also acceptable. 回答1: Due to the wonders virtual memory, it is nearly impossible to delete something from memory in a completely irretrievable manner. Your best bet is to zero out the value fields; however: This does not mean that an old (unzeroed) copy

问题 I'm creating a regular windows application that will be distributed to several users on my department. I'll need to include some connectivity passwords on the App.config file, and I obviously don't want end-users to just fire up notepad and look at the passwords. Several articles point on how to encrypt/decrypt configuration sections, but it appears you have to share/ship some keys with the deployable solution. Is there a simpler way, to just cipher some of the settings so that they are not

问题 I've inherited an application with a glaring security hole. It has session-based security, but file uploads (which are user specific) are not secured in any way and they are stored in the public file tree. Filenames do not follow any convention as such, making them hard to guess, but the data is sensitive and thus I need to implement a security measure to prevent unauthorized file access. Moving the location of the files is not really an option, so I'm looking at a htaccess solution to

问题 I need to ignore the PKIX path building exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc ption: unable to find valid certification path to requested target I know how to do this by writing my own class implementing X509TrustManager where I always return true from isServerTrusted . However, I don't want to trust all servers & all clients. I want all the default verification

问题 Inspired by a thought while looking at the question "Correct HTTP status code when resource is available but not accessible because of permissions", I will use the same scenario to illustrate my hypothetical question. Imagine I am building a a carpooling web service. Suppose the following GET /api/persons/angela/location retrieves the current position of user "angela". Only angela herself and a possible driver that is going to pick her should be able to know her location, so if the request is

问题 Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions? Usual configuration results in Tomcat flagging session cookie with secure flag only if connection is made through https. However in my production scenario, Tomcat is behind a reverse proxy/load balancer which handles (and terminates) the https connection and contacts tomcat over http. Can I somehow force secure flag on session cookie with Tomcat, even though connection is made through plain

问题 Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions? Usual configuration results in Tomcat flagging session cookie with secure flag only if connection is made through https. However in my production scenario, Tomcat is behind a reverse proxy/load balancer which handles (and terminates) the https connection and contacts tomcat over http. Can I somehow force secure flag on session cookie with Tomcat, even though connection is made through plain

问题 I have used the following code in a number of applications to load .DLL assemblies that expose plugins. However, I previously was always concerned with functionality, rather than security. I am now planning to use this method on a web application that could be used by groups other than me, and I would like to make sure that the security of the function is up-to-snuff. private void LoadPlugins(string pluginsDirectory) { List<IPluginFactory> factories = new List<IPluginFactory>(); foreach