security

问题 If I send password in JSON over HTTPS to perform authentication is it secure? Is there a better way to do it? In general what is the best way to send a username and password over to a server to perform authentication? 回答1: Generally speaking, yes, this is safe against a passive network eavesdropper, which is the primary threat one is concerned about in this sort of architecture. If you'd prefer not to send the password in the (HTTPS-encrypted) request, you can have the server send a unique

问题 I had scanned my yii2 application few days before and noted that username and passwords from the login form is posting without any encryption. How can i make my username and password more secure?I know \yii\helpers\Security::encrypt($data, $secretKey) will encrypt the data and similiary we can decrypt it. But how to use it in a view like login form? This is my login form <?php $form = ActiveForm::begin(['id' => 'login-form']); ?> <?= $form->field($model, 'username') ?> <?= $form->field($model

问题 Environment details: java version "1.7.0_40" Java(TM) SE Runtime Environment (build 1.7.0_40-b43) Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode). We are using jboss-4.2.3.GA and thick client using ejb. And we have tried to set the TLS1.2 version in the following ways: Control Panel --> Programs-->Java-->Advanced Tab-->Advanced Security Settings checked the TLS1.1 and TLS1.2 and unchecked the remaining old versions. But still in Wire shark software we are seeing client is

问题 I'm new in asp.net mvc and i need to check if a user is logged in or not in my application so i place the following piece of code in my global.asax void Application_PreRequestHandlerExecute(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; HttpContext context = application.Context; string filePath= context.Request.FilePath; string fileExtention = VirtualPathUtility.GetExtension(filePath); // to skip request for static content like (.css or .js) if

问题 Im making a login/logout class that logs users in, sets cookies based on user's choice. The user enters their email/password and it checks the database, email/password combo exists a session is created, and a cookie is set (with the users id) and the user is redirected... I then have a function that logs users in by taking the user id saved in that cookie, checking whether that user id exists and then saving the users data in a session yet again... i was wondering if anybody see's anything

问题 I had some problems where RSA keys created using the Security.Cryptography.RSAParameters were working only most of the time with RSACryptoServiceProvider.ImportParameters. After a bunch of debugging it appears that the properties of that object want very specific byte buffer sizes. My ASN.1 parsing code has zero-byte-prefix elimination. In fact, some fields of the RSAParameters only work after zero-byte-prefix elimination and others don't work at all if zero-byte-prefix elimination has been

问题 I realize that in general, you should not store user credentials directly (i.e., in plain text); rather, it is best to store some encrypted form of them. However, suppose I create a website that interacts with some other 3rd party site; and let's say this 3rd party site offers an API that requires the user's credentials (with that site) for authentication. If my goal is to, say, provide a superior UI or introduce additional functionality on top of the services provided by this 3rd party, then

问题 I have an application that can be used without authentication on computers in public locations. It's a simple four page application that allows users to apply for a marriage license. Some offices will have a public computer kiosk where applicants can fill out their own information before proceeding to the clerk. They can also do so at home before visiting the office. What considerations should I take to make sure that a user cannot get access to the previous user's input? Some form data will

问题 I see the following link that explains how rest api needs to be secured. (Using public key and a HMAC(hash) of request parameters and private key). http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ I also see this link in stackoverflow which talks about rest api security using spring combining spring security 3 with jersey rest api I see this link in oracle weblogic website that talks about restful api security using web.xml or security context etc http:/

问题 I'm using JBoss AS7 + JSF 2.1 I'm trying to use a Database login module to authenticate users on a specific resource in my web application. In standalone.xml there are 3 security domains: "other", "jboss-web-policy" and "jboss-ejb-policy". Should I put my database login module in the "other" security domain? Or I should define a new custom security domain and put my database login module in it? Either way, how will I tell JBoss which security-domain/login module it should use for my