ACE url tampering and other security capabilities

Similar Messages

• Url-patterns and container security

  I've got container managed security working so that if I use:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>secure area</web-resource-name>
  <url-pattern>/</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>9</role-name>
  </auth-constraint>
  </security-constraint>
  in my web.xml file, I get asked for a password and I get in to the welcome page after I enter the correct password.
  However if I use:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>secure area</web-resource-name>
  <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>9</role-name>
  </auth-constraint>
  </security-constraint>
  to try and protect just the stuff under /secure directory, I never get asked for a password.
  Can anyone help?

  For those of you who stuble accross this thread, it should have been "/faces/secure/*".

• Disabling KeyBoard and other security features  using JNLP

  I am developing a secure assessment application. Its a web application. I want to make sure that the examinee does not cheat during the test. I want to make sure that the examinee does not move away from the assessment screen. I am planning to develop a java web start application which will launch a browser as pop up full screen and then disable the key board so that the examinee cannot move away from the screen.
  Will this be possible? How do I go about it? I am very new to Java Web start. Please guide
  -de paul

  I am developing a secure assessment application. Its a web application. I want to make sure that the examinee does not cheat during the test. I want to make sure that the examinee does not move away from the assessment screen. I am planning to develop a java web start application which will launch a browser as pop up full screen and then disable the key board so that the examinee cannot move away from the screen.
  Will this be possible? How do I go about it? I am very new to Java Web start. Please guide
  -de paul

• Digital Sign into payload and other security doubts

  Hello experts,
  I have a RFC_to_SOAP scenario, and I have to digitally sign the information of the outbound payload (comming from the RFC sender) AND add it to the inbound payload (send it to the target web service, which imported wsdl file is forcing me to include that sign).
  In order to do so, can I use the receiver agreement option for digitally sign the document? I guess I can't because it would be added to the payload. So how to do it? Should it be done in message mapping as java mapping? Any indications about how to do that?
  Besides I have a doubt about the certification settings in the receiver soap channel and the sign settings in receiver determination. What's exactly the difference? What does each of them with the message?
  Thanks in advance.

  Hi Ivan, thank you for your response.
  I'm trying to develope a module for the soap adapter as you suggested, however I have a question about what you said.
  If you only want to sign the content of the XML and not sing the whole payload you can use a Java Mapping
  What exactly do you mean with signing the whole payload or just the content?
  If I have this xml
  <?xml version="1.0" encoding="UTF-8" ?>
    <ListaDecV3Ent xmlns="https://www3.aeat.es/ADUA/internet/es/aeat/dit/adu/adht/banent/ListaDecP3Ent.xsd">
    <declarante>
    <NifDeclarante>27456992N</NifDeclarante>
    <NombreDeclarante>José Gutierrez</NombreDeclarante>
    </declarante>
    </ListaDecV3Ent>
  with signing only the content you mean that it would only make the digest and encription of the text 27456992N and José Gutierrez, and signing the whole payload would digest and encritp the xml tags too? If so I need the whole payload to be signed.
  Couldn't be that done in java mapping?
  By the way I've seen documentation indicating that in order to program an adapter module, a J2EE Java Bean must be developed and deployed to the server. However I'm working in PI 7.1 and in the module tab of the channel I see the option to use a Java Library instead (the options are local enterprise bean, remote enterprise bean and java library). Is it possible? Any info on how it works?
  About my doubts in the previous post, if I use the receiver agreement sign option, where would exactly be the sign be placed in the message, and what would it exactly sign?
  Any forum mate who can answer is welcome
  PD: Ivan I'll open a thread in the spanish forum too if you want to talk there

• Malware and Other Various Nasties

  Hello Everyone
  I am looking for some real solid feedback when it comes to the various onslaught on nasty infectious computer viruses , malware , spyware and things such as viruses and key loggers.
  Would anyone know of any real solid top notch programs / applications that work very well with a Mac?
  Thanks To All !
  - Best Regards!

  You want the whole nine yards?!
  Do not be tricked by 'scareware' that tempts computer users to download fake anti-virus software that may itself be malware.
  Fake anti-virus software that infect PCs with malicious code are a growing threat, according to a study by Google. Its analysis of 240m web pages over 13 months showed that fake anti-virus programs accounted for 15% of all malicious software.
  Scammers trick people into downloading programs by convincing them that their PC is infected with a virus.
  Once installed, the software may steal data or force people to make a payment to register the fake product.
  Beware of PDF files from unknown sources. A security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009.:
  http://www.computerworld.com/s/article/9157438/RoguePDFs_account_for_80_of_all_exploits_saysresearcher
  No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.
  It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download for Tiger and Leopard from (on no account install Norton Anti-Virus on a Mac running OS X):
  http://www.clamxav.com/
  The new version for Snow Leopard is available here:
  http://www.clamxav.com/index.php?page=v2beta
  (Note: ClamAV adds a new user group to your Mac. That makes it a little more difficult to remove than some apps. You’ll find an uninstaller link in ClamXav’s FAQ page online.)
  However, the appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.
  If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.
  You can read more about how, for example, the OSX/DNSChanger Trojan works here:
  http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml
  SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
  http://macscan.securemac.com/
  The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.
  (Note that a 30 day trial version of MacScan can be downloaded free of charge from:
  http://macscan.securemac.com/buy/
  and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)
  A white paper has recently been published on the subject of Trojans by SubRosaSoft, available here:
  http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174
  Also, beware of MacSweeper:
  MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008
  http://en.wikipedia.org/wiki/MacSweeper
  On June 23, 2008 this news reached Mac users:
  http://www.theregister.co.uk/2008/06/23/mac_trojan/
  More on Trojans on the Mac here:
  http://www.technewsworld.com/story/63574.html?welcome=1214487119
  This was published on July 25, 2008:
  Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.
  The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.
  In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.
  Net security groups say there is anecdotal evidence that small scale attacks are already happening.
  Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm
  A further development was the Koobface malware that can be picked up from Facebook (already a notorious site for malware, like many other 'social networking' sites like Twitter etc), as reported here on December 9, 2008:
  http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm
  You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:
  http://www.securemac.com/
  There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!
  If you think you may have acquired a Trojan, and you know its name, you can also locate it via the Terminal:
  http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of- the-problem/
  As to the recent 'Conficker furore' affecting Intel-powered computers, MacWorld recently had this to say:
  http://www.macworld.co.uk/news/index.cfm?email&NewsID=25613
  Although any content that you download has the possibility of containing malicious software, practising a bit of care will generally keep you free from the consequences of anything like the DNSChanger trojan.
  1. Avoid going to suspect and untrusted Web sites, especially p'orn'ography sites.
  2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program. A recent example is of malware distributed through innocent looking free screensavers: http://www.zdnet.com/blog/security/malware-watch-free-mac-os-x-screensavers-bund led-with-spyware/6560?tag=nl.e589
  3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.
  4. Use Mac OS X's built-in Firewalls and other security features.
  5. Stop using LimeWire. LimeWire (and other peer-to-peer sharing applications and download torrents) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications. Similar risks apply to using Facebook, Twitter, MySpace, YouTube and similar sites which are prone to malicious hacking: http://news.bbc.co.uk/1/hi/technology/8420233.stm
  6. Resist the temptation to download pirated software. After the release of iWork '09 earlier this year, a Trojan was discovered circulating in pirated copies of Apple's productivity suite of applications (as well as pirated copies of Adobe's Photoshop CS4). Security professionals now believe that the botnet (from iServices) has become active. Although the potential damage range is projected to be minimal, an estimated 20,000 copies of the Trojan have been downloaded. SecureMac offer a simple and free tool for the removal of the iBotNet Trojan available here:
  http://macscan.securemac.com/files/iServicesTrojanRemovalTool.dmg
  Also, there is the potential for having your entire email contact list stolen for use for spamming:
  http://www.nytimes.com/2009/06/20/technology/internet/20shortcuts.html?_r=1
  NOTE: Snow Leopard, OS 10.6.x, offers additional security to that of previous versions of OS X, but not to the extent that you should ignore the foregoing:
  http://www.apple.com/macosx/security/
  Apple's 10.6.4 operating system upgrade silently updated the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook.
  http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates
  Finally, do not install Norton Anti-Virus on a Mac as it can seriously damage your operating system. Norton Anti-Virus is not compatible with Apple OS X.

• Ajax Login both secure and non secure url

  Does anyone know if there is a way to use ajax to log a user in for both the non secure and secure url. Normally if you're submitting a log in form over the secure url with the non secure url in the referrer parameter it will log you in on both domains but not via ajax. Anyone have a good work around?

  Here’s the code I’ve used…
  {% if Settings.Site_Live -%}
  {% assign redirectHTTP = "" -%}
  {% assign redirectDOMAIN = Settings.Site_URL -%}
  {% assign redirectEXTEND = "" -%}
  {% else -%}
  {% assign redirectHTTP = "http%3a%2f%2f" -%}
  {% assign redirectDOMAIN = Settings.System_Name -%}
  {% assign redirectEXTEND = ".fueldesign.co.nz" -%}
  {% endif -%}
  {% capture redirectURL -%}{{redirectHTTP}}{{redirectDOMAIN}}{{redirectEXTEND}}{% endcapture -%}
  <form class="form--box escapeWorldSecureSystems" method="post" action="https://{{Settings.System_Name}}.worldsecuresystems.com/ZoneProcess.aspx?ZoneID=51&amp;Referrer={{ redirectURL}}&amp;OID=&amp;OTYPE=" data-parsley-validate>
  Note: I have a Settings collection that has a lot of data from a Settings web app that controls a lot of settings for the website, such as “Site_Live” checkbox etc. this allows my sign-ins to be generic and editable site to site.
  And here’s the development URL where I’m working on this. (don’t just my site during development stage lol)
  http://astrolift.fueldesign.co.nz/ <http://astrolift.fueldesign.co.nz/>
  username: dev
  password: dev123
  Hopt this gives you some inspiration.
  Let us know if you get the ajax working.
  Cheers guys

• I think my other account is hacked and the hacker changed the password and the security questions and i can't retrieve it , so does anyone know how to have a live (online) conversation with a senior or an apple employee responsible for such problems ?!

  Please help me because it's not the first time the account has been hacked, every time i found out that it was hacked i changed the password, but this time it is not easy because he changed the alternative email-adress and the security questions.

  Call the Apple support phone number for your country:
  http://support.apple.com/kb/HE57
  and the 1st tier agent should be able to assist you or transfer your call to the Account Security team.
  Regards.

• HT203163 I am not able to access to iphone updates/store; as secure link to itunes store failed. I tried to turn firewall off, reinstall itunes and other troubleshoot options but none of them works.....

  I am not able to access to iphone updates/store; it displays the message under diagnostics 'secure link to itunes store failed'.
  I tried to turn firewall off, reinstall itunes and other troubleshoot options but none of them works......
  Please help.

  Update:  I tried the "Toshiba Recovery Wizard" after everything else either fizzled out or hung up. After going all the way thru the recovery process (up to 100%), I finally got an error message.....it didn't work. And now, when I fire up the computer, I don't even get to that menu with the recovery options....the only thing I can boot into is the screens with the various ways to run your OS (in "safe mode", "safe mode with networking", etc).
  I'm not a techie, but I'm guessing at this point, the part of my hard drive that got damaged in the fall was, at the very least, the partition with the recovery data. Couple that with the fact that this cheapo Toshiba laptop didn't even come with recovery disk (or ANY kind of disk, even basic installation software!), I'm screwed: I don't see any way to get a workable computer now without some kind of disk to boot from. So NOW my concern is more about spending the $$ for a new OS and THEN finding out the hard drive has other problems too...is broken in some other way to boot.
  How to check this? As I said, I did run "chkdsk" back when I could get into the recovery menu and run the fix-it programs. It didn't note any problems. Thinking of taking this opportunity to upgrade to Windows 7 from Vista (which I never liked), but I have to know that the computer is otherwise ok....how to be sure?

• How do I get about:config and other about: addresses to drop down from URL bar?

  How do I get about:config and other about: addresses to drop down from URL bar?
  It's a pain having to retype them in full... not sure why there is no easier interface to them.

  hello, you can bookmark the sites for faster access.
  [[How to use bookmarks to save and organize your favorite websites]]

• E4200 Wireless Guest and WEP connects, other security settings do not

  I have E4200 with fixed ip 192.168.1.2, DHCP off connected through LAN ports to FIOS ActionTec as 192.168.1.1.  When connecting through wireless network off the E4200, I can obtain and connect fine under Guest network and WEP security, but for any other security setting, WPA, WPA2, Mixed mode, etc.  I get the message "Aquiring network address" forever, and I never get a connection.  How do I troubleshoot?

  Is your FIOS ActionTec wired or wireless modem/router…. From where you are receiving the wireless signals to connect… Which operating System that you are running on the computer? It happens only to a specific computer or it happens to all the computers connected in the network?

• Unable to convert pdf to any other format. Tried cloud as well as acrobat reader. Reader error message "unable to contact service" and Cloud message "conversion error". I tried multiple pdf documents and checked security settings on all of them. Help Plea

  nable to convert pdf to any other format. Tried cloud as well as acrobat reader. Reader error message "unable to contact service" and Cloud message "conversion error". I tried multiple pdf documents and checked security settings on all of them. Help Please!

  Hi skydivingsnowman,
  I'm sorry you're having such trouble using the ExportPDF service. What browser are you using?
  Please try clearing your browser cache, or using a different browser (here's a list of supported browsers:   http://www.adobe.com/acom/systemreqs/.
  Please let me know if that works.
  Best,
  Sara

• EMET 5.1 and F-Secure 5.1 do not get along; do other AVs?

  This regards a freshly built (by me) W-7 HP 64-bit PC. After I installed Office 2010 and all updates, I installed F-Secure IS. Then I tried to install EMET 5.1. However, every time I try to start IE11, I receive an "EAF mitigation" error which
  prevents IE from displaying. If I uninstall either EMET or F-Secure, IE will start normally. Obviously there is an interaction between EMET and F-Secure. F-Secure advises that I add an exclusion for EMET to its manual scanning, which makes absolutely no sense
  to me because I am not scanning. However, I did that anyway, but that made no difference and "EAF mitigation" still rears its ugly head.
  I'd like to know of anti-virus products which are proven to work with EMET, given that cyber-miscreants appear to be moving away from malware detectable by traditional anti-virus solutions, i.e. I will prioritize EMET over a specific anti-virus.

  On
  f-secure forums, alike issues have been reported and linked to f-secure deepguard functionality. You culd disable that, or configure emet to not do EAF for iexplore.exe.
  Issues with combining EMET and some antivirus applications can arise if the antivirus implements alike mitigations as EMET.
  In regard of compatibility, most AV is compatible if configuring EMET and AV correctly. Some
  vendors
  offer guidance for configuration to avoid issues. Also be sure to read through
  this related thread.
  MCP/MCSA/MCTS/MCITP

• TS1398 I only want my secured network wifi but keeps searching for others.  Tried turning on an off wifi and on and off secured networks and ignore other networks, but keep coming back. Any suggestions.

  I only want my secured network wifi but keeps searching for others.  Tried turning on an off wifi and on and off secured networks and ignore other networks, but keep coming back. Any suggestions.

  That's not the way wifi works.
  You may see the other networks but you are not connected to them in any way.

• HT1222 My Facebook was hacked and as I only access it through my iPhone 4 or my iPad is there any other security measures I can take to prevent this happening. I have the latest software updates.

  My Facebook was hacked and as I only access it through my iPhone 4 or my iPad is there any other security measures I can take to prevent this happening. I have the latest software updates.

  Facebook security is handled by Facebook, not the phone or Apple.  Contact them.

• Can this be safely removed and how without causing other security issues???

  Having repeated problems with FF hanging and/or closing unexpectedly. Problem listed is always "plugin-container.exe has encountered a problem and has to close". Running version 3.6.15. Can this be safely removed and how without causing other security issues???

  Disable the plugin-container for some or all 4 plugins. <br />
  http://kb.mozillazine.org/Plugin-container_and_out-of-process_plugins#Disabling_crash_protection