security

问题 I'm trying to configure spring secure annotations, I already managed to set spring security configuration in xml(configured by intercept-url elements), but now I'm want to use security annotations in my beans. But secured annotation is totaly ignored when try to access secured controller method without logging. Here is my controller bean: package com.bill.controllers; import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org

问题 I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user. What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or

问题 After reading through an article on a site, I became really worried for my own server's security... Inside a PHP file, which is later on included on all my main php pages that get showed to users, my username and password (used all over my website - server root, mysql root etc) are inserted in plain text... is there anything to worry about? can anyone read the php file (like download it and read it instead of having the server execute it)? Is there any risk of having my username and password

问题 As title says, i'm developing a web application that receives user authentication infos from an external application. A spring controller of my app gets user info and stores it in session. I want to authenticate this user inside Spring Security and then use his roles to grant/deny access to urls like <intercept-url pattern="/myprotectedpage*" access="hasRole('rightrole')" /> I read some tutorials speaking about PRE_AUTH_FILTER and UserDetailsService but i can't get the point. What is the

问题 I have a Delete method on all my business objects that has the PrincipalPermission attribute on it. Example: [PrincipalPermission(SecurityAction.Demand, Role = "Vendor Manager")] public static bool Delete(Vendor myVendor) { //do work here } The problem is that it appears to be completely ignoring my PrincipalPermission. It lets anyone through, no matter what role they may be part of. Is there something else I've forgotten to do? I have added the following to my Application's global.asax in

问题 I'm using this code to store a key into a KeyStore in an Android App: SecretKeyFactory kf = SecretKeyFactory.getInstance("DES"); DESKeySpec keySpec = new DESKeySpec(key); // byte[] key SecretKey skey = kf.generateSecret(keySpec); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, "ksPassword".toCharArray()); PasswordProtection pass = new PasswordProtection( "entryPassword".toCharArray()); KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(skey); ks

问题 I'm been struggling to find an answer to this problem for hours now... I use to not get this error while accessing the ASPNETDB database, but unfortunately I don't know what I changed. The error comes up when I try to access a file called Admin.aspx I have in a folder called Admin. I had restrictions set on this folder using the Web Site Administration Tool, but when the error came up I took them all of them off to see what the problem was and I still get the error?? The Admin.aspx file is

问题 User successfully authenticated but after authentication when I go to next controller I got request.getUserPrincipal() null. I am using websphere 7 and my application is in spring mvc. System.out.println("subject.getPrincipals(): " + subject.getPrincipals()); WSSubject.setRunAsSubject(subject); After authentication in login controller subject.getPrincipals() returns principal but when I go to next controller I got request.getUserPrincipal() null. web.xml <security-role> <role-name

问题 My app has to comunicate with an API, we can do this easily to send and get data. Right now we send everything as plain text as a parameter of the URL. I am by no means a security expert, but common sense tells me the credit card number should be encrypted during the transfer. The server can worry about the storage, my only concern is the actual transmission of the data. From my reading I undertand that I need a private key encryption algorithm, as it needs to be reversed by the server to get

问题 This question already has answers here : Closed 7 years ago . Possible Duplicate: Putting core classes above the web root - good or bad idea? I keep reading that it's a best practice to put MySQL connection credentials (whether it's a class, defines, etc..) outside of the web root (above the www folder). Why is this? If the credentials are in a .php file then it doesn't matter if the file is accessible through the browser, right? 回答1: It's a preventative measure. If someone accidently