code-access-security | 易学教程

C# webservice and Android app: how prevent illegal accesses

阅读更多关于 C# webservice and Android app: how prevent illegal accesses

问题 I'm using (with satisfaction) some web services from an Android application. I use https (I bought a SSL certificate). I want to prevent unwanted accesses from others that know the urls of my web services. I use a "secret key" that the app must provide to the web service method, but it's stored in a constant variable inside the code and I know this is not the best solution to ensure security. Android web service call (using ksoap): try { SoapObject request = new SoapObject(configuration

Derived types must either match the security accessibility of the base type or be less accessible in very basic case

阅读更多关于 Derived types must either match the security accessibility of the base type or be less accessible in very basic case

问题 Build the sample code, and run any test. (I tried abs .) Each time I do it, I get TypeLoadException : An exception of type 'System.TypeLoadException' occurred in Jurassic.dll but was not handled in user code Additional information: Inheritance security rules violated by type: 'Jurassic.Compiler.WhiteSpaceToken'. Derived types must either match the security accessibility of the base type or be less accessible. The problem is WhiteSpaceToken is a simple class, as so is Token , its base. So it

fine-grained permissions; PrincipalPermission - roles seperate from permissions;

阅读更多关于 fine-grained permissions; PrincipalPermission - roles seperate from permissions;

问题 I've been using PrincipalPermission for a while in wcf services. [PrincipalPermission(SecurityAction.Demand, Role = SecurityRoles.CanManageUsers)] Our roles are prefixed with: Can* and is how we achieve fine grained actions control with the built in asp.net membership system. This makes it hard to know as a business unit what fine grained roles we can give to a user. Here is my new approach and wanted to see if anyone can provide feedback, code review before i implement my suggestion. 1)

Secure collaborative software development environment in the cloud

阅读更多关于 Secure collaborative software development environment in the cloud

问题 I am looking for a secure collaborative software development environment, such as Chaperon, that works in the cloud. It should prevent code from being copied-pasted out of the environment, and it should take all measures to prevent, detect and deter IP theft. It should, of course, include all usual IDE tools for subversion tracking and debugging. Any suggestions? 回答1: The costs of doing so are mostly far too high, and there are serious questions about the capabilities of systems such as

Are there any coding guidelines for the Android platform that focus on security?

阅读更多关于 Are there any coding guidelines for the Android platform that focus on security?

问题 Are there any good coding guidelines for the Android platform that focus on security? Thanks 回答1: You'll probably want to take a look at the security design of the framework itself. Also, as a more general source of security guidelines for mobile applications, you may want to look at the book "Mobile Application Security". 回答2: See also Android API/development security pitfalls, which discusses some pitfalls to watch out for (although the answers are more focused on design errors rather than

How do I implement Exception.GetObjectData in .NET 4 in a library assembly that has the AllowPartiallyTrustedCallersAttribute?

阅读更多关于 How do I implement Exception.GetObjectData in .NET 4 in a library assembly that has the AllowPartiallyTrustedCallersAttribute?

问题 I have an assembly marked with the AllowPartiallyTrustedCallersAttribute which contains a custom exception class. I want to make it serializable by overriding GetObjectData . With .NET 4, GetObjectData has become a SecurityCritical method. This means that overrides also need to be SecurityCritical . Since my assembly is marked with the AllowPartiallyTrustedCallersAttribute , all code within is automatically SecurityTransparent unless specified otherwise. Therefore, I apply the

Secure collaborative software development environment in the cloud

阅读更多关于 Secure collaborative software development environment in the cloud

I am looking for a secure collaborative software development environment, such as Chaperon, that works in the cloud. It should prevent code from being copied-pasted out of the environment, and it should take all measures to prevent, detect and deter IP theft. It should, of course, include all usual IDE tools for subversion tracking and debugging. Any suggestions? The costs of doing so are mostly far too high, and there are serious questions about the capabilities of systems such as Chaperon to withstand real attacks. Security by obscurity has a very bad name, and Windows-based systems have too

fine-grained permissions; PrincipalPermission - roles seperate from permissions;

阅读更多关于 fine-grained permissions; PrincipalPermission - roles seperate from permissions;

I've been using PrincipalPermission for a while in wcf services. [PrincipalPermission(SecurityAction.Demand, Role = SecurityRoles.CanManageUsers)] Our roles are prefixed with: Can* and is how we achieve fine grained actions control with the built in asp.net membership system. This makes it hard to know as a business unit what fine grained roles we can give to a user. Here is my new approach and wanted to see if anyone can provide feedback, code review before i implement my suggestion. 1) aspnet_roles - business unit role 2) Extend the asp.net membership system by creating a permission table

Javascript API - Restrict Domain by providing whitelisting option to user

阅读更多关于 Javascript API - Restrict Domain by providing whitelisting option to user

My Application provides an API Key and Javascript code to put on their site (similar to google anayytics code). All the calls in the API use JSONP to communicate with our server. Since the API key is sensitive, we have our users coming back and asking to provide a whitelisting option for the domain. This is similar to Linkedin, Facebook, Twitter and Google. Should I be using referrer option to restrict the domain? But a rogue can always manually add this using normal http api and gain access. Is it a good idea to encrypt (or hash?) and send the window.location within the API and compare that

Is is possible to see the code for shiny glimmer apps

阅读更多关于 Is is possible to see the code for shiny glimmer apps

Hi this is more question of code security, rather than a question about a directly coding related problem. But I was wondering is it possible to see the code in ui.R and the server.R and that generates the app web browser page? e.g. Although I'm sure I could just ask Garrett to see the code...is it possible, without authorisation, to somehow see the code related to this URL http://glimmer.rstudio.com/gsee/TFX/ which is running the a shinny app? As this might be a problem if putting up sensitive data/code etc. Is there a way to add a secure username and password to shinny apps? so that only