security

问题 I've trying to read and write a file from an applet so if I run the applet from my appletviewer it is possible for me to read/write a file but when I try to do it from my browser I get a security exception. Any idea how to do this? 回答1: Is it possible to read/write a file from an applet Yes, but you need to sign the applet and get approval from the user. Some useful links: How can an Applet read files on the local file system (from coderanch.com) Essentials, Part 1, Lesson 6: File Access and

问题 Imagine for a moment that we're using classic asymmetric encription with WCF (private/public key pairs). Obviously it's secure until private keys aren't stolen. We don't need any trust chains between keys, right? Client only needs to know its server's public key and vice versa. A problem arises only if client doesn't know server's public key in advance and gets it on the first access. Here we have a risk that actual server is a "man-in-the-middle" instead of the real server. Here we need

问题 I was reading this article about setting up Jenkins running inside a Docker container in a way that Jenkins is able to build Docker images itself. Although this solution works, there are some security issues as also pointed out by the author. The main security problem lies in the fact that Jenkins needs to run Docker commands, which requires a mount of the Docker socket inside the Jenkins container (plus Jenkins need sudo to be able to run Docker commands). So whoever has access to the

问题 Context I am developing a survey website where anyone can vote once. Obviously I have to prevent multiple registrations for the survey to remain relevant. I force every user to login with their Google, Facebook or Twitter account. But they can authenticate 3 times if they have an account on each, or authenticate with multiple accounts on the same platform (I have 3 accounts on Google). So I thought to store their IP address, but they can still use a proxy. I could keep the HTTP User Agent

问题 I am using various 3rd party libs like cordova.js, jquery, jquery mobile, mobilizer and so on, in a an android mobile app.. These libs are found to have various XSS vectors through insecure use of eval, settimeout, inner/outerhtml and so on. Is there any way by which I could cover/fix these security holes and still use these libs in my app, securely? 回答1: These vulnerabilities should be reported to the vendor, and you should use their patch. Exploiting DOM Based XSS and android is possible,

问题 I am working on an iOS app which will handle user login for other apps. When a login is successful the user will be redirected to user's selected app (if installed) with iOS deep linking using URL schemes. Upon redirect I would like to pass a user access token to the opening app. The receiving app should somehow be entitled to read the token. It is not an option to pass it in the url because of the following (from Apple docs https://developer.apple.com/library/content/documentation/iPhone

问题 Asmx web service is called using Visual Studio generated code from MVC2 controller using code below. Method call throws exception since web service certificate has expired. How to fix this so that web service can still used? Using .NET 3.5 and MVC2. public class AsmxController : Controller { public ActionResult Index() { var cl = new store2.CommerceSoapClient(); // System.ServiceModel.Security.SecurityNegotiationException was unhandled by user code //Message=Could not establish trust

问题 I am about to implement security for my RESTful services based on the Spring framework. Actually, I have never secured RESTful WS before, but I've got myself a good introduction here. Basically, Amazon S3 or even OAuth are suggested as good examples. My questions: Does the Spring framework provide these strategies out-of-the-box? If yes: Is it Spring security that implements these strategies? If no: How would you suggest to implement these strategies (OAuth ...) with Spring? Thanks in advance

问题 If it is good style and security to store passwords securely and properly, then shouldn't the same be for web pages that require a user to enter a password? consider this example <script> function copy() { var text = document.getElementsById('text'); var pass = document.getElementsById('pass'); text.value = pass.value; } </script> <input type=text id=text> <input type=password id=pass> <button onclick="copy();">copy</button> type something into the password box and click the copy button and

问题 Is there a way, using JavaScript only (client side), to ensure that an HTTP request is actually coming from my Phonegap application? Be aware: I'm not talking about authenticating the user , rather, in a sense, about authenticating the app itself . There isn't (and mustn't be) any kind of user interaction related to this. Not even talking about confidentiality of the communication (I'm not using HTTPS and the payload is not encrypted). My guess is, in the end, this inevitably requires some