Questions tagged [security]

26955 questions
1

votes
1

answer
145

Views

PDO prepared statement security

This is my first participation is this great website, so I hope to get the first great answer to my question. I'm using the following code to insert data into MySQL database: if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form2")) { $q = $conn->prepare("INSERT INTO client (name, addre...
Anibel
1

votes
2

answer
1k

Views

Why do I get AccessControlException: access denied when I add BouncyCastleProvider to Security in Tomcat servlet

I've created a Java servlet and runs it in a Tomcat server on a web hotel. It should send push messages to iOS devices so I added JavaPNS. This works fine in my local Tomcat server, but when I deploy it on the Tomcat server provided by a web hotel then this statement: Security.addProvider(new Bouncy...
Ola
1

votes
0

answer
30

Views

Compare two maps with Firestore security rules (many-to-many security rule)?

Admins can manage various forums; this admin manages forumA, forumC and forumQ: account.forumAdmin = { forumA: true, forumC: true, forumQ: true }; Users can be members of multiple forums; this user belongs to forumA and forumX: account.memberOf= { forumA: true, forumX: true }; Admins who manage a fo...
Baz
1

votes
1

answer
2.1k

Views

Spring Security - Anonymous Authentication - HttpSessionRequestCache

Please help me on this. void setCreateSessionAllowed(boolean createSessionAllowed) method of org.springframework.security.web.savedrequest.HttpSessionRequestCache class says If true, indicates that it is permitted to store the target URL and exception information in a new HttpSession (the defaul...
VirtualLogic
1

votes
3

answer
11.5k

Views

Servlet - isUserInRole()

Spec: Servlet: 3.0 Java: 7 Tomcat: 7.0.54 Intro: It is possible to check programatically if user has a specific role using method HttpServletRequest.isUserInRole() For example: public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException{ String u...
Hubert
1

votes
1

answer
3.7k

Views

An explanation about overriding SimpleUrlAuthenticationFailureHandler

I've been studying java and Spring for a while, during my spare time so I neither master java nor Spring yet. For the web project I created to study java and Spring I had to extends the SimpleUrlAuthenticationFailureHandlerm. What it's not clear to it's why after extending SimpleUrlAuthenticationFai...
MDP
1

votes
3

answer
17.1k

Views

java.security.SignatureException: Signature does not match

I created a java keystore with name cloudsslkeystore.jks keytool -genkeypair -validity 730 -alias cloudsslkey -keystore cloudsslkeystore.jks -dname "cn=localhost" -keypass password -storepass password I exported it as certificate with name cloudcertificate.cer keytool -export -rfc -keystore cloudssl...
Himalay Majumdar
1

votes
1

answer
1.5k

Views

get response from spring oauth2 token request as xml

I am implementing a oauth2 rest server using spring 4 and spring oauth2. Response can be either xml or json as specifeid by the client request header. But am getting issues from oauth2 when ever I try to access the token it supports only JSON (application/json), its not supporting xml(application/xm...
Pranav
1

votes
2

answer
662

Views

pbkdf2_sha256 C# implementation

I've got a database where passwords are stored as pbkdf2_sha256. I want to create a tool (in C#) which should create new passwords. My problem is: How can I encrypt the password in C#? I found a Java-Class which works for me, but I can not use this sample in C#. Is there a smilar way? I tried also...
Lee
0

votes
0

answer
6

Views

Get method mapped to request in Spring Security

I have to use some custom role authorization logic with spring security and jaxrs. Meaning I want to use my custom annotation. I have a problem with obtaining the method and class that are mapped to the current request and I need them so I can extract the annotations present on them. I tried injecti...
randomname
0

votes
0

answer
4

Views

WKWebview [Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath

I've recently replaced my UIWebview to a WKWebview in my hybrid app. I'm using a custom scheme to load images from the native part of the app as it's recommended by Apple here: https://developer.apple.com/videos/play/wwdc2017/220/ I'm loading the images from a url that look like mycustomscheme://?pa...
Tako
1

votes
1

answer
211

Views

Infinte loop when bad credentials are entered in spring security/form login

As much as I have been able to determine it gets into infinite loop only when following bean is enabled on my . If this bean is enabled WebSecurityConfigurerAdapter extended class. @Override @Bean(name = "MyAuthManager") public AuthenticationManager authenticationManagerBean() throws Exception { re...
user871199
1

votes
2

answer
1.7k

Views

HTTP(S) request security using random headers

I understand that CSRF is a major security concern for HTTP(S)-based applications. From the looks of it, most frameworks send the CSRF token as part of the request body. However, in my case that is somewhat inelegant for several reasons; most importantly I don't want to mess with the transport layer...
Domi
1

votes
2

answer
5.5k

Views

HTTP 405 Not Allowed - Spring Boot + Spring Security

I have a simple rest API which works with database. It worked properly until I added the security part. Now it gives HTTP 405 Not Allowed on the POST and DELETE requests. I have no idea why. The GET requests work properly. So here is the controller class: @Controller public class MarkerController {...
definera
3

votes
0

answer
157

Views

How to avoid java Security Information popup?

Problem - Java security information popup appears when applet based application loads in the browser. When I check "Always trust content from the publisher" and click run, the application runs and certificate is added to java user trusted certificates list. When I run the application the next time,...
Nishant
0

votes
0

answer
2

Views

mod_security: Block only if a client causes more than 10 error messages

) I am currently trying to create a list of whitelists in modsecurity for my application. To reduce false positives i thought about something like this: If a user causes more than 10 error message (mod security messages) it will be blocked then. Is something like this possible?
hukachaka
1

votes
1

answer
97

Views

Strip-tags vs htmlentities vs other. Which has the better security in php?

I'm creating a website (assuming that it will have a lot of users) that is going to have users using all characters and so it could contain characters like >, < and /. So someone suggested that I use htmlentities() instead of strip tags. Is htmlentities reasonbly safe against SQL injection? And is t...
Hedi
1

votes
1

answer
816

Views

Does Android account manager encrypts information stored in it?

My requirement is to store username and password in my application. I am storing username and password using android accountmanager and I am not able to get any straight answers to following queries: Do i need to encrypt credentials before storing them in accountmanager? Does android account manage...
Rahul Tiwari
1

votes
2

answer
2.9k

Views

Error in Spring XML schema “No setter found for property 'oAuth2RequestValidator'”

I have an error in my Spring file ' authorization-server-custom-grant. xml', about a setter that you are not in the class org.springframework.security.oauth2.provider.endpoint.TokenEndpoint, which inherits or is the son of org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint. This...
Francisco Nieves
1

votes
2

answer
327

Views

Global variable security implications

I have Global Variable in my application. This is something I don't want to store, but which the user should be able to access whilst the app is running. All works. My question is, what security implications does using a global variable have? Is it accessible from other apps?
John
1

votes
2

answer
1.4k

Views

logoutSuccessUrl not working in Spring Boot

I have a simple Gradle Spring Boot (v 1.3.3) WebMVC application I'm running from the command line via "Gradle bootrun". I am also including Spring Security and am overriding some default security configuration by including a java security config class. My build file is buildscript { ext { springBoot...
Mike HT
1

votes
2

answer
787

Views

In Content Security Policy is there a way to match self + any port?

In development I have a livereload server that runs on the standard port 35729, however this isn't loaded because my because my policy has script-src 'self'. Is there way to allow 'self' on all ports? 'localhost:*' also isn't a great solution because on occasions I test the site on our local network...
joshhunt
1

votes
2

answer
4.4k

Views

POST request error: NSURLConnection HTTP load failed iOS 10

I'm new to iOS programming. I want to connect my app to my web service (HTTPS). Why is XCode telling me this error when I run POST request with 'Alamofire 4.0' in iOS 10? This error doesn't appear when I use iOS 9 simulator. I've tried various ways as people say on stackoverflow and none of them sol...
dhafinm
0

votes
0

answer
4

Views

Dynamically Secure Method Using Spring Security - Role Based Access Control

@CrossOrigin(origins = "*", maxAge = 3600) @RestController public class RbacAccess { @GetMapping("/api/user") @PreAuthorize("hasRole('ROLE_USER')") public String userAccess() { return ">>> User Contents!"; } @GetMapping("/api/admin") @PreAuthorize("hasRole('ROLE_ADMIN')") public String adminAccess()...
Md.Samiul Arafin
2

votes
0

answer
19

Views

how to check if the device is being accessed remotely in android using Java ? or javascript for cordova?

I just wanna check if the device is being operated remotely or not? as I don't want someone to use my app remotely for security reasons. I checked over the internet but didn't find any solution. any help would be good. thanks.
MSD
1

votes
1

answer
650

Views

Expiration time of password reset tokens

When users forget their passwords, they can reset it (on most websites). They do so by receiving an email with a reset-token, then using that to set a new password. This token usually expires after a while to protect against guessing. Let's say the token is 256-bit. Bruteforcing it with lots of supe...
Rien Heuver
0

votes
0

answer
7

Views

How can I set firebase rule for switch button

in the realtime firebase the child Button's value is 'true' I want new value has to be only 'false' while it is 'true' the opposite, it has to be true how can I code up for firebase rule? guessing to use data.exists() or 'true' or 'false' as string but using data.exists() is further reaching to me.
J.Doe
1

votes
1

answer
1.2k

Views

TokenStore MongoDB Spring OAuth2

I'm trying to create token store with on MongoDB I wanted to use the current DB connection in my app. I've used the JdbcTokenStore and convert it but I think I've done it wrong since I was not able to @Autowired (it is null). I guess it is because that bean is starting before the Mongo connection be...
Jonathan
-2

votes
1

answer
14

Views

how to hide source codde like on lionsgate's website?

I wanted to ask you how it is possible to hide the source code like on Lionsgate's website: https://www.lionsgate.com/ If you head over to: view-source:https://www.lionsgate.com/ Here is the code from view-source: (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event...
Viktor Gavrilovic
0

votes
0

answer
6

Views

How many attempts per second can a password cracker actually make?

Google searches reveal that password crackers can quickly try millions of combinations and easily crack many passwords. My research does not show whether they can practically make that many attempts so quickly in a real-world attack. How do these password-crackers actually have to interface with se...
John
0

votes
0

answer
6

Views

Using Spring Security SAML Siteminder

I'm trying to integrate siteminder with Spring Security. Users already connected to Windows (Domain Authentification) can access to the WebApplication ( Tomcat - RHEL ) with the current Windows username, roles are managed by the WebApp it self. it is possible ? it there any example that might help m...
btkminder
0

votes
0

answer
5

Views

Automate Login to site using Spring Boot (Spring Security) and LDAP

I am working on a Spring Boot project, which uses LDAP in Spring Security for authentication. I need to automate the login once the user hits the login page based on the roles in LDAP group provided in Spring Security. If user has any role in the group mentioned in LDAP, then it must redirect to th...
Michael
1

votes
1

answer
1.9k

Views

HSTS vs only https with secure cookie

Is it good enough a protection if my site is serving on https with secure session cookie and redirects any attempts for http urls to https? What kind of security holes can i be exposed in this setup to for which i cannot live without setting the HSTS header?
Pratik Khadloya
1

votes
1

answer
33

Views

Comparing two strings, both with regex

I'm implementing a security system on my application and I'm having some problems to check if user x has permission y. Well, let's contextualize: E.g: My app have these permissions: cmd.a cmd.b api.a api.b The admins have the following permissions available: *.a (* means everything, so it's cmd.a an...
NathanPB
2

votes
1

answer
73

Views

Using Variables in a Firestore Security Rules “List” operation

I'm attempting to setup security rules that allow access to a collection, based on the value of a document field in a subcollection. This works as expected when retrieving an individual document by id, which is a get operation. However, when querying main_collection (a list operation), this fails w...
cokeman19
1

votes
2

answer
2.4k

Views

Spring Boot keycloak and basic authentication together in the same project

I have an issue with Spring Boot security. What I want is to have two different authentication for the same project at the same time in Spring Boot. The one is SSO (keycloak authentication) for all path except '/download/export/*' , the other one is Spring Boot basic authentication. Here is my conf...
gubak
1

votes
1

answer
197

Views

Invalidating JWTs on sign out?

I'm new to JWT and was wondering if it is possible to invalidate/void JWTs on the server-side when a user signs out of an application (I'm also wondering if it even makes sense to do so!). Idea is: User clicks a sign out link in their app App makes a call to POST https://api.myapp.example.com/auth/i...
smeeb
0

votes
0

answer
4

Views

Perplexities in spring security method POST and GET

I have a strong doubt in the use of Spring security specifically I want to know how to defend functions connected to the controller (GET and POST). Let me explain better, to defend I do not intend to perform that action to authorized users with certain roles, I intend to defend that action even by a...
Luca De Angelis
1

votes
1

answer
887

Views

How to get userinfo in springboot using keycloak?

I was able to get the username by using: @Autowired private HttpServletRequest request; Principal user = request.getUserPrincipal(); mqMessage.setUserName(user.getName()); But I want to get the firstName & lastName of the user logged in. How can i get the ff. userinfo using SpringBoot keycloak adapt...
LogronJ
1

votes
2

answer
951

Views

Springboot security+jwt 'springSecurityFilterChain' error

I got some error on my springboot code. But i'm not able to know why that is having error and not working. I used Jpa. and that was working well (as on clearly before using security and Oauth,jwt) i added filter to @Configuration. logs are on here org.springframework.beans.factory.BeanCreationExce...
tryAll

View additional questions