Security
I have a question to the security features of Symfony2. I want to protect a special area of my application under the /my prefix.
My configuration looks like follows:
security.config:
providers:
my:
entity: { class: MyUserBundle:User, property: username }
firewalls:
public:
pattern: /my/login.*
security: false
my:
pattern: /my.*
form-login:
check_path: /my/login_check
I'm going to use this kind of approach to store my password:
User enters password
Application salts password with random number
Then with salted password encrypt with some encryption algorithm randomly selected array of data (consisting from predefined table of chars/bytes)
for simplicity it can be used just table of digits, so in case of digits random array would be simply be long enough integer/biginteger.
Then I store in DB salt (modified value) and encrypted array
To check
What's the easiest security mode for implementation in WCF when:
Both client and service are .NET
applications.
Client and service are negotiating
over internet.
SSL in not available.
Port 80 (web) is preferred for
communication.
And Using a x 509 certificate should be
the last option (same credentials in
configuration file at both sides is
preferred, if possible)
What do you mean by security? It is possible to use "security" over Internet without certificates if your security
So I need to be able to actually decrypt the password because some old websites don't use OAuth and I need to have some of my users have access to them through there API. Therefore one way hashing does not work for me. I have been told that the best way to store the passwords with AES and using the salted hash of the passwords as the key. How do I store all the keys and where do I store the salt? Basically how would I exactly implement this.
Thank You
If I understand you
In digest based authentication, nonce is generated by server. However in OAuth based authentication, nonce is generated by client. I want to know anyone know the reason of the difference?
Firstly, sometimes clients do provide a nonce in digest auth, but mainly it relies on the server (see RFC2617)
Secondly, because if you think of the authentication procedure in terms of a handshake, then with Oauth when you already have a token you've been through half of the handshake, you've
In the security, there is a famous attack called man-in-the-middle.
I want to ask: in the common case, does this attack refering to the attacker to be an imposter of the client or the imposter of the server?
It's most commonly a server imposter, and most commonly through browsers. -
Client -> attacker -> Server
Client will be compromised by whatever method and connect to the man-in-the-middle rather than the real server.
Simply Imposter of the Client for Server and
I am using OpenSSL to verify a server's certificate. Since OpenSSL is shipped without any built-in root CAs, we must distribute the root CA certificate ourselves with our software (we statically-link OpenSSL). Ordinarily, the way to do this is to distribute a certificate file in PEM format and call SSL_CTX_load_verify_locations.
However, this function takes a file/directory path and reads the root certificate file(s) directly from the filesystem. We would really like to be able to
I have an existing application that has standard user accounts, and we've just finished integrating Facebook login as an option. It works quite well, but if someone tries to login using Facebook for an email address that already exists as a user of the system, I'd like to associate them with the existing user account.
Before I go ahead and do that, though, is it safe to just do it, without requiring that the user login first? If Facebook says a user has a certain email address, how
I would like to allow the current user to change their password (managed via active directory).
I would like to validate and then set their password in Active Directory (currently using the SetPassword invoke method).
My problem is validating the password so that it meets the complexity requirements:
Not contain the user's account name or
parts of the user's full name that
exceed two consecutive characters Be
at least six characters in length
Contain characters from three
Possible Duplicate:
What's the recommended hashing algorithm to use for stored passwords?
Hello, I've recently been told that common hash functions such as SHA256 are insecure for use as a password hashing function because they are "designed to be fast"(incidentally I asked earlier for faster hashing functions over at programmers.se). So my question, what should be used for websites or other general applications?
Also, secondary question: Is SHA256 really not a good
There is a timestamp in the Oauth authorization header. Anyone know what it is used for?
It is used (along with the nonce, which is randomly generated) to prevent replay attacks.
From http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
To make implementations easier, OAuth
adds a timestamp value to each request
which allows the Service Provider to
only keep nonce values for a limited
time. When a request comes in with a
timestamp
In Oracle,
- I want to ensure that owner of trigger must match table owner.
- Also the views should be restricted. The user must not be able to query system views and tables.
Generally only the owner of a table will have privileges to create triggers on it. DBAs may have the privilege CREATE ANY TRIGGER, but protecting a database from a DBA is whole different order of question.
There are a number of system views (eg USER_TABLES, ALL_USERS) which you can't revoke access on,