security

问题 I have created Web Service using Asp.net 3.5. Now it's working perfectly in live windows server, and giving me perfect xml while invoking it using some url like : http://www.somedomain.com/Service.asmx?op=fetchData Now My question is when I am accessing url like : http://www.somedomain.com/Service.asmx it's listing my created web services. What if I don't wanna list down the available web services to end users. Thanks in advance... 回答1: If you just want to disable the service help page then

问题 I am developing an application which involves payments. I will employ some sort of encryption in the app and also some encryption and security on the server backend. I want to know to secure my Xamarin code specially when deploying to Android. I know that Xamarin.iOS converts to native code but Xamarin.Android deploys the .Net code in DLL which can easily be decompiled using DotPeek or any other tool and the code will be visible including my encryption keys or any other security related data

问题 I'm doing some work with a company outside of my school, and they need my public ssh key. I already have my public ssh key generated for use with github. I set this up some time ago, and if I open the id_rsa.pub file, I see it has my school email address embedded inside. Now I'm wondering if it's typical to reuse this one key with every company you work with, or do you generate a new one for every company. I guess I have a few considerations: If I use the same public key with each company,

问题 I need to prevent duplicate form submissions for my customer's website. we need some form data from user for order confirm page. we use load balancing for web server. Approach 1 : Post/Redirect/Get (PRG pattern : http://en.wikipedia.org/wiki/Post/Redirect/Get) I was trying to use PRG pattern at first. in this case, I think I need to deal with session(or spring flashmap) across multiple web server. Approach 2 : Disable refresh on client. one of my colleague suggested this approach. Approach 3

问题 I need to prevent duplicate form submissions for my customer's website. we need some form data from user for order confirm page. we use load balancing for web server. Approach 1 : Post/Redirect/Get (PRG pattern : http://en.wikipedia.org/wiki/Post/Redirect/Get) I was trying to use PRG pattern at first. in this case, I think I need to deal with session(or spring flashmap) across multiple web server. Approach 2 : Disable refresh on client. one of my colleague suggested this approach. Approach 3

问题 How can I securely store the keys to my private API in my web based (javascript) application? I've thoroughly researched this but am yet to find a solid answer or any kind of standard procedure. My API implements HMAC authentication, and every member of my site has a public/secret key to authenticate their use of the API and sign their request. On a mobile app, the server would send the public/secret keys over an encrypted connection to be stored on the device after a successful login request

问题 Is there a legal way to add/remove permissions to Java security policy at runtime? 回答1: Javadoc says that Policy.refresh() for file-based policy would re-read the file. Thus, it is possible to modify system-wide policy at runtime by editing policy file and then calling Policy.refresh() 回答2: From 1.4 dynamic ProtectionDomains can delegate to the Policy. Dynamically removing permissions from code is unlikely to make any sense. The two argument forms of AccessController.doPrivileged might also

问题 Is it possible to impersonate a user without supplying user name/password? Basically, I'd like to get the CSIDL_LOCAL_APPDATA for a user (not the current one) using the ShGetFolderPath() function. All I currently have is a SID for that user. 回答1: No, you have to call Win32 API LogonUser function to get windows account token back so you can then impersonate. 回答2: You can impersonate a user without supplying password by calling ZwCreateToken. See the CreatePureUserToken function in this article

问题 Is it possible to impersonate a user without supplying user name/password? Basically, I'd like to get the CSIDL_LOCAL_APPDATA for a user (not the current one) using the ShGetFolderPath() function. All I currently have is a SID for that user. 回答1: No, you have to call Win32 API LogonUser function to get windows account token back so you can then impersonate. 回答2: You can impersonate a user without supplying password by calling ZwCreateToken. See the CreatePureUserToken function in this article

问题 I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out the declaration of the password field. private char[] passwordLength; Could anyone help me out here, what more can I look for resolving this? 回答1: Heap Inspection is about sensitive information stored in the machine memory unencrypted, so that if