Questions tagged [security]

35496 questions
1

votes
0

answer
6

Views

Different handling of basic authentication in rest client and web app in browser

I have angular frontend and spring backend. I'm using spring security to hande http basic authentication. I noticed strange difference in behaviour using advanced rest client(or any other) and angular web app. For tests I disabled my httpInterceptor so it is not including 'Authorisation: Basic fooba...
skoomi
1

votes
1

answer
330

Views

Firebase rules and validations for update existing data

I have a data structure as following: { 'users' : { '31J59dq1clZ3inHMzoopiigsEg63' : [ { 'name' : 'Lanchana', 'timestamp' : 1516916245423, 'uid' : '31J59dq1clZ3inHMzoopiigsEg63', 'userEmail' : '*****@gmail.com', 'total-stars' : 123 } ] } } and fire rules as following: { 'rules': { 'users': { '$uid'...
lanchana gupta
1

votes
2

answer
254

Views

Can't get permission to firebase database IOS

I can't get permission to database. In xcode console I am getting this message: [Firebase/Database][I-RDB038012] Listener at /skelbimai failed: permission_denied So I went to firebase database, then Rules and changed like this: service cloud.firestore { match /databases/{database}/documents { matc...
1

votes
1

answer
187

Views

Firebase Cloud Storage security rule for deleting

Hi I am using Firebase Cloud Storage to develop web application. I would like to set different security rules for setting file from deleting file. It seems that write includes both of them according to the document. Does anyone know how to solve this problem? What I would like to do is this. Anyone...
Tsukasa Nomoto
1

votes
0

answer
13

Views

Spring Boot 2 - Session Issues

My security config reads like this: protected void configure(HttpSecurity http) throws Exception { http .antMatcher('/**') .authorizeRequests() .antMatchers('/*.js', '/*.ico', '/*.png', '/*.css').permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage('/login') .loginProcessingUrl('...
Magd Kudama
1

votes
2

answer
347

Views

CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements

In our app code we allow some objects to drag and drop around the page. Also we have things like popups that need to be positioned below buttons and dialogs that we position in the page ect. To do so we need to allow the following inline css properties z-index top, bottom, left, right height, width...
Tim
1

votes
2

answer
235

Views

Firestore Rules: validate data does not have field

So I currently have two roles for all users: isAdmin and isReader. An Admin is allowed to read and write data and an Reader is allowed to read data. When someone creates an account he has no rights. Not even isReader. Only an Admin can change rules. This is how I planned to do it: Once someone crea...
Jonas
1

votes
1

answer
134

Views

Can debug logging be added to firestore rules functions?

Given that the firestore rules structure allows for functions, is there some way to add debug logs to those rule-functions ? .. in order to verify that the function you expect, is in fact being called. I see that with the simulator it shows a red X at the line in the rules sturcture, where access is...
Gene Bo
1

votes
2

answer
280

Views

How to extend the Spring Security's @Preauthorize with custom validating rule?

Spring Security provides some convinent method-control annotations: @PreAuthorize('hasRole('ADMIN')') @PreAuthorize('hasAuthority('ROLE_ADMIN')') @PreAuthorize('hasPermission('ADD')') I want to extend it with some custom method like @PreAuthorize('hasCompany('XX')') and its validation data should...
rellocs wood
1

votes
1

answer
435

Views

Does Spring Security OAuth2 support Authorization Code Flow with PKCE for browser (Angular) clients?

Browser applications auth used to be managed using the Implicit grant of the Authorization Server. I successfully implemented this using Spring Security Oauth. This approach has several drawbacks: Refresh tokens are not supported, so when the token expires we need to reauthenticate with the Authoriz...
codependent
1

votes
1

answer
336

Views

Where is safest to store Json Web Tokens JWTs in client side?

Hello stackoverflow community! We build an SPA app with nuxts.js framework and we arrived to the point which is the safest way to store a JWT token from our backend API service. We have two options cookies with httpOnly flag versus localStorage. I read a ton of articles about the comparison of this...
Vasileios
1

votes
1

answer
69

Views

Does sprint security JWT implementation deal with alg:none attack? [closed]

JWT implementations might be exposed to different attacks, one of them is the 'alg:none' attack (see more details here). I'm using 'spring-security-jwt' dependency in my pom.xml file, and was not able to find out whether this implementation deals with the 'alg:none' attack. Is this attack mitigated...
omer
1

votes
2

answer
58

Views

How to set access_control to disallow users having a 'ROLE_USER' to access path: ^/login after successful login?

In security.yaml file we define the access control for various routes and the ROLES who can access that same route. But how can we set the user, who is logged-in but can't revisit the /login page unless and untill it logs out and 'ROLE_USER' changes to 'anon'. I am new to Symfony 4.2. Controller: na...
Saurabh
0

votes
1

answer
14

Views

What is the most secure way store keys in React Native

Thanks for your help in advance. I'm using React Native and Node.js to deliver a product for my company. I've setup the steps on the backend to retrieve a password, validate it and respond with a token. The only problem is - the password I use on the front end (mobile app) to be validated by the ba...
threadpool
1

votes
4

answer
2.3k

Views

is it possible to make a trial version of a php web based software? [duplicate]

Possible Duplicate: How to implement licensing in php downloadable application I am developing a web based software, i wonder if it's possible to protect a website developed with PHP from being copied, i mean i want to make sure that the user don't copy the software and sell it or give it to anothe...
major
1

votes
7

answer
5.1k

Views

Revoked X509Certificate

How can I programmatically get when X509Certificate is revoked? I can get information if certificate is revoked, but i need to get when is revoked, i think that CRL list have that info, but can someone tell me how to read that.
buda
1

votes
0

answer
5

Views

Securing the application with authentication and resolving user name from the request header on class level

I have a web application with 10 controllers. Each controller represents an endpoint. Each controller has various API operations. I have used basic authentication for the API methods. I have used @RequestHeader in these methods to get the header and resolver username from it. I was wondering if I ca...
computatma
1

votes
2

answer
6.1k

Views

How to make the refresh token life long valid and issue a new refresh token each time a new refresh_token grant_type comes in spring security oauth2

I am using spring security oauth2 for authentication for my android application clients.When the client request comes with grant_type as password the server issues the access token and refresh token.If the access token expires i can issue a new access token by sending a request with grant_type as re...
KJEjava48
1

votes
1

answer
3.6k

Views

PKCS#11 engine for openSSL

I'm trying to setup openSSL under Windows 7 to use a vendor specific security module. From the vendor I got a PKCS#11 API dll (lets say vendor.dll). The PKCS#11 engine has been created according to https://github.com/OpenSC/libp11 As described in the link, for testing, I start openssl engine pkcs11...
michael
0

votes
0

answer
12

Views

Is there a way to have AWS RDS Public Accessibility = No but still accessible outside of EC2 instance?

For management-related reasons, I need the Public Accessibility option set to 'No' for the RDS. However, we're also looking into being able to access the RDS from our local devices. The only way we're able to do so is by selecting 'Yes' in Public Accessibility. Of course, the VPC, Gateway, Subnet, a...
ZekiraDrake
1

votes
2

answer
2k

Views

username parameter is empty in loadUserByUsername(String username) - spring boot

This is my UserDetailService: public class StockUserDetailService implements UserDetailsService { @Autowired private UserRepository userRepository; private static final Logger logger = Logger.getLogger(StockUserDetailService.class); @Override public UserDetails loadUserByUsername(String username) th...
Ashwin
1

votes
1

answer
525

Views

Spring MockMvc redirect not working

I am trying to mock a post request using the below code . I am testing a spring security login request. MockMvc mvc = MockMvcBuilders.webAppContextSetup(context).addFilter(springSecurityFilterChain) .apply(springSecurity()) .build(); MvcResult mvcResult = mvc.perform(post('/j_spring_security_check...
lives
1

votes
1

answer
1.2k

Views

Spring boot basic authentication spring boot session possible

I have a spring boot back-end server application that implements basic authentication over https. Will not have a traditional web based front end, rather my android and IOS clients will be using Rest API calls. The backend application is currently validating the username and password information...
geezer57
0

votes
0

answer
10

Views

AuthenticationManagerBuilder is not recoginizing my datasource, which doesnt allow me to log in, what is the approach to do this with spring-boot?

I am trying to authenticate my user through the database with dataSource. @Configuration @PropertySource(value = { 'classpath:application.properties' }) public class FormAppConfig { @Autowired Environment env; @Bean public DataSource securityDataSource() { BasicDataSource dataSource = new BasicDataS...
Adwait Uprety
1

votes
2

answer
2.2k

Views

How to use Spring security without password encoding?

I'm trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database Code: @Override public void saveUser(User user) { user.setPassword(bCryptPasswordEncoder.encode(user.getPassword())); user.setActive(1); Role userRole = roleRepositor...
Arjun
1

votes
2

answer
258

Views

Firestore dynamically update security rules

Imagine we have Chat application and in this application, we have many rooms, some private and some for everyone. Every room has an admin who can manage users (can invite and remove). Only members of the room can read and write messages. An Admin is a person who created a room in this scenario. I wa...
svkaka
1

votes
2

answer
403

Views

Spring Boot & Keycloak - only working for get method

The following is working fine: @GetMapping(path = '/onlyforAdmins') @Secured('ROLE_ADMIN') public ResponseEntity secureHello(Principal principal) { return new ResponseEntity('hello ' + principal.getName(), HttpStatus.OK); } However, I am always getting 403 when I try the following: @RequestMapping(...
1

votes
1

answer
56

Views

How do I behave responsibly when fetching a URL provided by user?

What problems am I likely to face / what should I consider? I'm starting from a point of rate-limiting per user, maybe overall, possibly per domain. I guess I'll parse_url(), make sure I set reasonable timeouts, etc. Is there a big class of security hole I need to watch out for?
Bobby Jack
1

votes
2

answer
40

Views

Secure Php execution on server

I have a php script which updates a database. I want to be sure that no one else can call my script remotely and execute it. I tried this code but it did not work, the refer was always empty because I use https connection. if (strpos($_SERVER['HTTPS_REFERER'], 'linkedfilm.com') == false) { exit();...
Daina Hodges
1

votes
2

answer
30

Views

Unique hash as authorization for endpoint

I've already saw, that sometimes companies are sending customized links to get to some resource without logging in. For example some company send me email with link to my invoices: www.financial.service.com/ and there is no any authorization behind this endpoint, they only rely on fact that I am onl...
user2771738
1

votes
1

answer
93

Views

CSP with a Service Worker

I want to implement CSP on my site, but also have a Service Worker that caches resources and provides a notice if you are offline. I have defined the following policy: style-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'none'; Google's CSP eval...
Chris
1

votes
1

answer
101

Views

C and static Code analysis: Is this safer than memcpy?

Is the following function safer than using memcpy? Memcpy gives the following 'Improper_Null_Termination' Error in Checkmarx static code analysis: The string in at line is stripped of its terminating null-byte by at . However, if I use the following function, Checkmarx has no issue: void myMem...
1

votes
1

answer
43

Views

Can we limit 'Security Level' in Secure Channel Protocol (SCP) 02 communication?

I have a situation where I want to load and install an applet on card. SCP_02 will be used to perform authentication with ISD or CM. But I want SCP_02 authentication to be performed only with maximum security, i.e. C-MAC and encryption. No other security level should be allowed by ISD (or by any ad...
Abhishek
1

votes
3

answer
2.2k

Views

Disabling pop-up of secure and non-secure content in Internet Explorer

I have few images on a web page which are fetched from HTTP server while whole web page is on HTTPS. So in Internet Explorer 7 and 8 I get this pop up: This page contains both secure and non-secure items Majority of users use Internet Explorer. Somehow they are getting worried about this pop-up. Eve...
yogsma
-1

votes
0

answer
14

Views

Class file for org.springframework.transaction.annotation.Transactional not found - not using @Transactional

I'm following this guide and after adding the JWT Token Store config from Step 3: @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter()...
Ian
3

votes
2

answer
101

Views

How to detect and manage disk/registry/network activity performed by a loaded DLL?

Assuming my application implements a plugin/extension system which allows the user to dynamically load and execute code from external DLL files, how would I go about managing security in terms of disk, registry and network access (read/write/delete)? To be more specific, I would like to be able to k...
IneedHelp
1

votes
2

answer
6.7k

Views

Securing a folder in ASP.NET web directory

I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through. In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now i...
Imran Balouch
1

votes
1

answer
142

Views

Error while trying to establish session with user's PIN (smartcard)

I'm using python-pkcs11 to access a smartcard I own. Right now, I was trying to create a session, so that I could retrieve the Public Key from the card. This is the code I was testing: path = (...) os.environ['PKCS11 MODULE'] = path lib = pkcs11.lib(os.environ['PKCS11 MODULE']) password = bytes('123...
imll
1

votes
0

answer
61

Views

Using Google Drive access token from multiple devices

Today - Users' Google Drive access tokens - which are obtained when a user authenticates the app - are kept in my backend, linked to the authenticated user. So when a user authenticates once from any platform - he will have the same Google Drive access from any other platform or device he uses, sinc...
Dror Fichman
1

votes
0

answer
144

Views

Could not connect secured LDAP server from other PC (CentOS)

I have created an LDAP server on my pc which has both secured and non-secured connections created. I have configured my Spring-MVC application to connect to LDAP servers in both secured and non-secured ways. When I try to connect the LDAP server from MY pc it is working fine. But when I try to conn...
VPK

View additional questions