security

问题 I have an application that loads plugins (plain jar files) and runs code from them. The plugins are loaded using an URLClassLoader. I would like to prevent those plugings from accessing files and other resources, while retaining all permissions for my own code. Here are the two features by which plugin code is distinct from my own application and its libraries: 1) It is loaded by a URLClassLoader created for this purpose. 2) Its jar files are copied to a specific directory, from which the

问题 This may seem like an obvious (or not so obvious) question, but let me explain. I'm coding up a Google App Engine site using Google's database technology, BigTable. Any App Engine coders will know that Google has its own limited query language called GQL. As a result, I am tempted not to do any checking for SQL (or GQL) injection in my app since I assume Google is not using a raw string query on its backend methods to fetch data. Furthermore, libraries for DB technologies like CouchDB,

问题 I've a game in which my JavaScript calls PHP scripts via POST to change values in the database. How can I prevent someone repeatedly duplicating the request and giving themselves a billion points? Right now I pass a password through sha1() and check if it's there on the PHP side, but this wouldn't stop someone repeating the request. I can't use timestamps because time will lapse between call (JS POST request) and run of the PHP script. Edit: My PHP script doesn't increment the database values

问题 I've a game in which my JavaScript calls PHP scripts via POST to change values in the database. How can I prevent someone repeatedly duplicating the request and giving themselves a billion points? Right now I pass a password through sha1() and check if it's there on the PHP side, but this wouldn't stop someone repeating the request. I can't use timestamps because time will lapse between call (JS POST request) and run of the PHP script. Edit: My PHP script doesn't increment the database values

问题 What are some methods that could be used to secure a login page from being able to be logged into by a remote PHP script using CURL? Checking referrer and user agent won't work since those can be set with CURL. The ideal solution would be to solve this without using a CAPTCHA, that is the point of this question to try and figure out if this is possible. 回答1: One approach is to include some JavaScript in your login form, and make it so that the form cannot possibly be successfully submitted

问题 I would like to implement a simple authentication in an JSF/Primefaces application. I have tried lots of different things, e.g. Dialog - Login Demo makes a simple test on a dialog, but it does not login a user or? I also have taken a look at Java Security, like: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>GET</http

问题 Is there a build in library in .NET that can compute secure one-way hash ? I mean a library that implements SHA-2 cryptographic hash function or something similar. If is there is no SHA-2 implementation some weaker hash funcion would be sufficient. If there are more options I prefer the most secure one. Please provide a use example e.g. provide the code that returns one-way hash for string mySampleString . EDIT: Please provide the example and the hash algorithm used. 回答1: You can use the

问题 Even when I create EC2 instances in a private subnet, they must be able to send traffic to the Internet if I want to register them to a ECS cluster. I am using a NAT gateway to do this, but I still feel insecure that the instances can send private information to anywhere in case of takeover. What would be the most compact CIDR range that I can use for the instances' security group, instead of 0.0.0.0/0? 回答1: For the moment, you may have to rely on the list of public IP address ranges for AWS,

问题 I am using the Credential Manager API as per this answer. Quoting relevant code snippet: public static Credential ReadCredential(string applicationName) { IntPtr nCredPtr; bool read = CredRead(applicationName, CredentialType.Generic, 0, out nCredPtr); if (read) { using (CriticalCredentialHandle critCred = new CriticalCredentialHandle(nCredPtr)) { CREDENTIAL cred = critCred.GetCredential(); return ReadCredential(cred); } } return null; } It works great, except that when I log off my Windows

问题 I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it. I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that: import subprocess, os user_password = input("what is you password?") my_env = os.environ.copy() my_env["userpass"] = user_password my_command = "python --version" subprocess.Popen(my_command, env=my_env) Will the password be flushed once the