Questions tagged [security]

35459 questions
1

votes
1

answer
142

Views

Error while trying to establish session with user's PIN (smartcard)

I'm using python-pkcs11 to access a smartcard I own. Right now, I was trying to create a session, so that I could retrieve the Public Key from the card. This is the code I was testing: path = (...) os.environ['PKCS11 MODULE'] = path lib = pkcs11.lib(os.environ['PKCS11 MODULE']) password = bytes('123...
imll
1

votes
0

answer
61

Views

Using Google Drive access token from multiple devices

Today - Users' Google Drive access tokens - which are obtained when a user authenticates the app - are kept in my backend, linked to the authenticated user. So when a user authenticates once from any platform - he will have the same Google Drive access from any other platform or device he uses, sinc...
Dror Fichman
1

votes
0

answer
144

Views

Could not connect secured LDAP server from other PC (CentOS)

I have created an LDAP server on my pc which has both secured and non-secured connections created. I have configured my Spring-MVC application to connect to LDAP servers in both secured and non-secured ways. When I try to connect the LDAP server from MY pc it is working fine. But when I try to conn...
VPK
1

votes
0

answer
1.2k

Views

X-Frame-Options Header Not Set in Apache Tomcat 8.5.9

I am using Apache Tomcat 8.5.9 server for Java Web application with struts2, spring and spring-security. While doing security testing using 'Zap 2.7.0 security scanning Tool' I got following errors in a scanning report of my web application. X-Frame-Options Header Not Set Web Browser XSS Protection...
Prakash Krishnakumar
1

votes
0

answer
67

Views

Keeping apps tamper proof

Currently designing an iOS app that has functionality including the transfer of in-game currency to real-world currency. ( within Xcode using swift, it’s a mobile game ) Since this app includes the prospect of real money, I couldn’t help but feel that people would tamper with the game mechanics...
callum schenk
1

votes
2

answer
1.8k

Views

Security Issues with Anaconda?

There has been some back and forth between myself and the IT department of a company I recently began working regarding the installation of Python / Anaconda suite on my work PC. The IT department is making claims of security risks (with Anaconda) but I suspect it’s more of a matter of them not w...
lewisj
1

votes
0

answer
67

Views

Spring - How to secure Server Sent Events

I want to to use Springs Server Sent Events to update specific parts in a Angular frontend. I want that only authorized user can subscribe to the Server Sent Events. That's not the problem but how can I check if the user is still authorized to retrieve the push messages after e.g. the session is exp...
meleagros
1

votes
1

answer
373

Views

Spring PermissionEvaluator multiple permissions

I have created a customPermissionEvaluator and I'm trying to find the best way of using hasPermission implementation for multiple permissions. I know that If I use the next way: @PreAuthorize('hasPermission(#foo, 'test1') and hasPermission(#foo2, 'test2')') it will call @Override public boolean...
Gal Sosin
1

votes
2

answer
814

Views

How to fix role in Spring Security?

I'm trying to use Spring Security in my project, here is the code: @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // TODO Auto-generated method stub //super.configure(auth); //auth.inMemoryAuthentication().withUser('admin').password('1111').roles('USER'); au...
Abd ELL
1

votes
1

answer
376

Views

prevent a user from writing data to firestore if data exist

I am making an android app that when a user register an account on firebase, he saves his email, phone number and password. but when he wants to login, he uses his phone number and password. Because of that requirement I must also make the phone number unique There are a number of ways too do this b...
Ibrahim Usman
1

votes
0

answer
3.4k

Views

Only secure origins are allowed

I have a server and machines that access my application with Google Chrone. When trying to access the webcam I get this message: Uncaught (in promise) DOMException: Only secure origins are allowed I've found many solutions on stackoverflow for it, such as having SSL or executing chrome with options,...
pedrofialho
1

votes
1

answer
33

Views

Why do some rules seem to work randomly? How to debug which rules are currently satisfied?

I am having some issues with some rules. Some rules that are working one day, but they stop working the next day. I am taking into account that the rules does not affect to the Administrator user. I am wondering if I could print a logger message in the ir.rule model to check which rule domains are c...
ChesuCR
1

votes
1

answer
780

Views

OpenId connect Spring security 5 and Spring Boot

I'm trying to implement an authorization server Google like. After a few hour spend searching I'm not able to find the solution. Where can I find a simple example to do that? I'm trying to use the @EnableAuthorizationServer annotation but I don't know it it is the right way.
Luca
1

votes
1

answer
246

Views

How to handle JWT Authentication with Spring when implementing a CQRS pattern?

Using the latest Spring Cloud and Spring Boot, I've got a micro services layout with a Zuul gateway. At the moment when a user sends a get request their JWT token gets added to the request and that goes off to the microservice where they're authenticated and things go as usual. This all works perfec...
Chris Turner
1

votes
1

answer
217

Views

Securing SpringBoot REST endpoints in Google Cloud Platform

I created a SpringBoot application with a couple of REST endpoints and deployed it to Google App Engine Standard. Everything works fine and I am able to hit the endpoints. Now I want to secure these endpoints and allow only users authorized as admin to be able to call one of the endpoints. I tried...
AndoverDev
1

votes
0

answer
380

Views

How to enable CSRF protection in Spring Security 3.0

I'm trying to enable CSRF protection in Spring Security 3.0. All the articles I've found point to using the tag, which doesn't exist in this version of Spring Security and there's no chance of me upgrading to a newer version of Spring any time soon. (Corporate environment) With this in mind, how c...
Beth
1

votes
0

answer
711

Views

How to add roles to Spring Boot security from a Zuul filter

I am developing a Spring Boot REST application that has a custom token authentication system. The token holds the roles for the user as claims. A Zuul proxy routes the traffic to multiple spring boot microservices and I would like to add a filter to the Zuul so that it extracts the roles from the to...
icordoba
1

votes
1

answer
352

Views

how can I pass curent_user from flask-security to a pluggable view function?

I have a flask app that uses flask security for authentication. I want to use graphql with graphene to fetch data but I'm having trouble accessing the current_user proxy which is I've always used to resolve requests. graphene only provides a customized pluggable view which is understandable but it c...
Kasra Magmont
1

votes
0

answer
108

Views

Symfony4 security login form

I have a problem with login form in Symfony4. I use FOSUserBundle for security on my site, but i can't log in. It's my code: security.yaml security: # https://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers encoders: App\Entity\User: algorithm: sha512 providers: us...
PawiX
1

votes
0

answer
194

Views

Spring Security: Creating multiple http-sections dynamically

Currently, I'm trying to figure out how to block every request, except for some routes secured with basic auth. The information of these routes is stored in a List of my utility object SecurityConstraintInfo (read from some configuration-file), which holds the username/password for the basic auth,...
user871611
1

votes
1

answer
265

Views

Is it safer or unnecessary to encrypt a JWT with one key agreed upon by all programers of a project?

I am currently working in a e-commerce project in which i am designing the Server-Side of an API (in PHP on Laravel 5.5) while my two colleagues are designing the Android and Ios apps which will get all their data from my side. The communication of sensitive and non-sensitive data will be done enti...
Frank.Lowell
1

votes
1

answer
419

Views

Liberty ldap security-role/group mapping not working

In my server.xml I have the following configuration: My subject after the authentication looks like this: Principal: WSPrincipal:uid=MEMYSELFANDI,ou=person,o=somedir Public Credential: [email protected], realmName=LdapRegistry, securityName=MEMYSELFANDI,...
kinglite
1

votes
0

answer
37

Views

How do I fix this Glassfish-4 EJB(@RolesAllowed) lookup issue

I am trying to lookup a bean Deployed on different Glassfish instance. My app is running on another glassfish instance. The EJB has @RoleAllowed('APPUSERS') annotation at class level. I have created custom realm and JACC provider on both the instances. When I try to lookup the Bean it gives NamingE...
Chintz
1

votes
0

answer
55

Views

KASLR address search space and Meltdown

I am reading the meltdown paper from https://meltdownattack.com. I have a question regarding the section, 'Dealing with KASLR' on page 10. It mentions that 'the randomization is limited to 40 bit. Thus, if we assume a setup of the target machine with 8 GB of RAM, it is sufficient to test the addres...
Kai
1

votes
0

answer
81

Views

how to save value from POST method into parameter of Java class?

I'm new in Java, and currently try to create my own project, but have a problem with displaying information about user in his main page. Now I need to save a value from my JSP page (/login) which use method POST into parameter of my Java class('Controller'). login.jsp Log in with your account Log in...
Junior Java Mike
1

votes
1

answer
93

Views

How to read data based on nested property in firebase database?

I currently have a firebase database with the following structure: SharedGroup groupid1 group: 'test' members lastname,[email protected],com: true groupid2 group: 'test new' members last,[email protected],com: true groupid3 group: 'Family' members lastname,[email protected],com: true last,[email protected],com: false...
leo c
1

votes
1

answer
497

Views

Getting Spring Boot Security Working with Azure AD

Currently trying to get Azure AD integrated with a Spring Boot application I'm working on. I'm utilizing the azure-active-directory-spring-boot-starter package, and following the example laid out in the official documentation on Microsoft's website. However, when following the example, I'm receiving...
ReservedDeveloper
1

votes
0

answer
428

Views

Java x64 & InstallCert.java & jssecacerts: unable to find valid certification path to requested target

I have a custom java-based tool to ping a server on the specified port. The tool works fine on Windows 7 x86, but fails with the following error on Windows 7 x64 with Java x64: Exception in thread 'main' javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path buildi...
Racoon
1

votes
0

answer
162

Views

Spring security “Not logged in or anonymous” or “premission denied” catch 22

I am trying to move my grails 3 app to spring security shiro and I seem to be stuck in a catch 22 regarding user login. If I allow the signIn method outside access in the interceptUrlMap it says anonymous user cannot be logged in and I see that it is trying to login with the following security prin...
JoeyHolloway
1

votes
1

answer
45

Views

Exclude urls from spring-starter-security

I have a problem using springboot-starter-security. I want to secure only urls that does not begin with '/api', all urls such as '/api' or '/api/' or '/api/**' must no be secured. In WebSecurityConfigClass I have: @Override public void configure(WebSecurity web) throws Exception { web.ignoring().ant...
Alex Foglia
1

votes
0

answer
78

Views

Counting success and failed authentication

I use spring boot 2 in a thymeleaf application I created a class config for authentication @Configuration public class AuthenticationConfig { @Bean public AuthenticationSuccessEventListener asel() { return new AuthenticationSuccessEventListener(); } @Bean public AuthenticationFailureListener afel()...
robert trudel
1

votes
0

answer
243

Views

Spring Boot Security Javascript Post 401 error

I'm currently developing a micro-service architecture application with a Spring boot Authorization Server. When I try to get a new token with a existing account trough postman I get a valid token. Postman request and result - Postman body Now when I try to do the same with a Javascript call I get a...
Kevin Bos
1

votes
1

answer
955

Views

How to hide AJAX calls/urls from the browser page source code?

I haven't find a right answer for this and decided to post it... I just finished a website that took me a while to get it done. This site is too interactive so it has quite a few ajax calls everywhere and the urls are visible (obviously), my website is done with php, vanilla js, jquery and mysql. I...
Ed91gg
1

votes
0

answer
35

Views

Firebase DB security rules for Creating document

I have an app that uses Firebase realtime DB. The app allows Users to work with Projects. Each User have access to his projects and projects that are shared with him by other users. User can create new projects and share his projects with other users. The app is just an HTML page hosted on static h...
Philipp Munin
1

votes
0

answer
251

Views

Firebase Database query by condition of nested nodes

I have a static web page application (no backend server), that uses Firebase as User's database (javascript client). The database has the following structure: { users: { $userId:{ ///private user data } }, project: { $projectId:{ data:{...}, permissions:{ $userId:'owner'|'read'|'write' } } } } And u...
Philipp Munin
1

votes
0

answer
68

Views

Is there a way to specify trusted origins for post requests in google web app?

Let's say i created a google sheet to capture user's email addresses. On my website there is a small form and once the submit button is clicked and an ajax request to a google web app that writes data to a sheet is fired: // Let's select and cache all the fields var $inputs = $form.find('input, sel...
Felix
1

votes
0

answer
174

Views

j_security_check form authentication with angular 4 application

We have a J2EE based application running on wildfly 8.1. We need to configure form authentication in web.xml for UI which is written in angular4. We have a angular4 app with LoginComponent which accepts j_username and j_password. How to map angular 4's LoginComponent's LoginPage in web.xml for FormA...
Anuradha K
1

votes
1

answer
86

Views

Prevent data deletion but allow adding and modifying in firebase realtime database?

I need to set up database rules to prevent certain sub-nodes from being accidentally deleted, but at the same time allow the sub-nodes to be added and modified. The node in question is users/[userID]. It's structured like this: I don't want the data in users/[userID]/soundcasts to ever be deleted. A...
NatashaC
1

votes
0

answer
25

Views

Is it possible to add a new Security Policy in .NET without recompiling?

If I need to add new test to a policy-based security configuration, MS says to add a new condition or the like to my handler or create another handler. https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies services.AddAuthorization(options => { options.AddPolicy('BadgeEntry',...
johnny
1

votes
0

answer
35

Views

Popups are not suppressed if the delay <= 1000 ms

I've tested on various browsers executing code snippet below and they have all get blocked by default. setTimeout(() => window.open('https://google.com'), 1001); But if the delay is
theJian

View additional questions