security

问题 I've got an ASG that assigns an IAM Role to each of the instances that join it. Therefore, each instance has the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables baked-in, which will be used upon instantiation to download and decrypt credentials that are stored in an S3 bucket and encrypted using KMS keys. So I'll have the following components: An S3 bucket called top-secret.myapp.com All objects in this bucket are encrypted using a KMS key called My-KMS-Key An IAM instance

问题 I'm building an Intranet application based on Ext JS and webservices. Users are authorized using Integrated Windows Authentication, which works fine in IE. Because my application is in JavaScript, it is loaded in Firefox, but then when I request some data from server I get 'access denied' in Firebug, because all webservices are checking user rights. Can I request the user to enter his username and password (like login to FTP or a simple login page) in all browsers that don't support

问题 This is a simple question but I can't seem to find an answer for it anywhere. If you store some files (say some static PDFs) in your public directory, is there a way that someone who isn't authorized to view those files, can view them by typing in a url like example.com/public/static_document.pdf ? If so, can you disable this in Rails? 回答1: The public is definitely public and open to people guessing the URL. Check out Ruby On Rails - Securing Downloads Area for someone else asking similar. I

问题 I'm desperately trying to encrypt a message using asymmetric public / private key cryptography on an Android. I'm on Windows and I've generated a public and private key using puttygen. I'm not sure what difference it makes but I've selected SSH-2 RSA. Here is the public key: AAAAB3NzaC1yc2EAAAABJQAAAQEAh63orUzl0UTd7jj0KNYJg1+kNnty0QHyJu0r Cajf5Kl7qWJaGXPfwsG8Qt3teafs5sv0JBSinab0s/5wfQmd1QPpXTMP93Wc4ucp 1VC/9B2o8XVi4fKoGTehB48yrSfI6KF2AIeASM1jUswydKxsuS4AS2mLGV/HuoKD

问题 many antivirus programs using signature-based malware detection. Here is creating signatures for ClamAV. I can understand how they create signatures considering that the whole file is a malware, but I couldn't understand how to find malware when it is in the body of the file - the hash would be another. Anybody knows? 回答1: My answer is not specific to ClamAV; instead I've answered in a general sense. Maybe this is helpful for you. First of all a virus signature is not necessarily a hash value

问题 I'm working on deploying a small community site. User registration requires nothing more than a username, email address, and password. I'm not even asking for a name, and certainly not storing any sensitive data. Should I still invest in an SSL certificate? Would it be considered terrible practice to transmit a user's password without one? This is just a personal project, so I'd like to avoid the extra cost if I could, but I can't help but feel I'd be irresponsible if I didn't secure

问题 Here is scenario : I have some web services (JAX-WS) that need to be secured. Currently for authentication needs I providing addition SecurityWService that give authorized user some userid & sessionid that is need to be described in request to other services. It would be more better to use some java security. We have many of them but could not defined what is better to use. Q1 : It is understand that I should use SSL in transport layer, but what should I use for user authorization. Is there

问题 Here's something I've thought about for a while. I am creating an application where's my users will upload their own custom themes, which means that there's going to be a good opportunity for anyone with basic PHP/XSS/whatever skills to cause a lot of headache. I would like to run any uploaded files in a sort-of sandboxed, closed environment that only has access to the stuff (variables) that I want and nothing else. Would this be good practice and how would it be done? 回答1: To allow arbitrary

问题 Why am I posting this? After several hours of search / analysis / getting paranoid I would like to share my fault with you - I nailed down my cause of the problem. When did it happen? within the application server (in my case embedded tomcat) - tests had no problem on two specific @Services on which the methods got properly annotated with @Transactional What was not the problem? Missing @EnableTransactionManagement in the @Configuration Some weired AOP issue, eg having no default constructor

问题 How does Android perform security checks on native code? Suppose we declare permission X in AndroidManifest.xml, does it mean we inherit that same permission X in our native code? 回答1: How does Android perform security checks? There are basically two ways the permissions are enforced. First of all on kernel level: each installed app is assigned a unique (linux) user id and each time your app is started Android will spawn a process and sets the user id of that process to whatever your app