security

问题 When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application. So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,... This is not managed by OAuth2 ? Or I missed something ? For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key.

问题 When our customers install our software, they often opt for a "split install", where the services run on one box and the database is on another box. The services might talk to other services, or the database might contain stored procedures that need to talk to another database. This leads us into the murky world of Kerberos and SetSPN. I was about to send the support guys an email breaking down the difference between the various authentication levels supported by Windows, but I realised that

问题 I would like to create (implement by my own) authentication mechanism which will be plugged into my Java EE application. As far as I know I have to implement LoginModule and connect this implementation with container mechanisms somehow. But the problem is that I don't know how to do it. Maybe You know where I can find sample code or tutorial about it? In other words I would like to force container to call my classes whenever methods: authenticate, login, and logout are called. Sample

问题 I was wondering, how can implement HTTPS on one part of website? Let`s say, I want to create internet shop. I want to be able browse all items without HTTPS (it is faster right?). And when I want to make a payment, then I want to use HTTPS. As much as I have read in other articles, when IIS is configured to use HTTPS, the configuration is applied for whole site :( P.S. another question. What if I want the shop to be available only for users who already have accounts (it means users have to

问题 I am developing a client-server application that requires some files to be signed using the private key before sending to the client. The client will then verify the signature using the public key. Therefore, the private key will need to be on the server at all time and readable by the server application. The problem is that I was wondering where to store my private key that is more secure from being leaked in case the server is compromised. Should I store it in the database or should I store

问题 I'm trying to implement in-app billing, where the only thing my app sells is a monthly subscription. I've gone pretty much copied the Dungeons example that Android provides and it works, but it seems overly complicated for the one thing I have to sell (and I know I shouldn't be copying it anyway). The Dungeons example has a PurchaseDatabase class that keeps track of all of the user's purchases. Since there is only one purchase in my app, rather than having a database, it seems like it would

问题 Is it possible to convert a cert file to a pfx file? I tried importing my cerf file into IE, but it is never shown under the "personal" tab, thus I cannot export there. I am looking for if there is alternatives available. FYI, the cerf file is created by using "keytool" and then doing an export to a cert file. 回答1: This article describes two ways of creating a .pfx file from a .cer file: Maxime Lamure: Create your own .pfx file for ClickOnce Create your public & private Keys (You will be

问题 I'm writing an OS X client for a software that is written in PHP. This software uses a simple RPC interface to receive and execute commands. The RPC client has to sign the commands he sends to ensure that no MITM can modify any of them. However, as the server was not accepting the signatures I sent from my OS X client, I started investigating and found out that PHP's openssl_sign function generates a different signature for a given private key/data combination than the Objective-C SSCrypto

问题 I've stumbled upon the following pecularity: $handle = fopen(realpath("../folder/files.php"), "r"); can't read a file, but as soon as I remove php tags from the file, it becomes readable and my scripts prints non-empty file content on the page. Also, file.php is never ever executed, so I wonder why it is the problem. I guess somehow Apache or PHP doesn't let read files containing php tags PHP as just text. How can I enable it for my particular file (course doing it globally would be unsecure)

问题 I would like to know if my current implementation of BCrypt is correct, I am aware that I am not using BCrypt.checkpw() which may lead to an issue so that is the main reason I verify it here. Hasher.java container class: abstract public class Hasher { public static String hash(final char[] input) { String output = Hasher.hash(new String(input)); for (int i = 0; i < input.length; i++) { input[i] = 0; } return output; } public static String hash(final String input) { return BCrypt.hashpw(input,