Everything is more or less said in the title. When I start the sentry sdk I have a dsn string that I have to write in my code to initialize it. I was wondering if I can hardcode this string or if I have to store it somewhere else. I wonder if it is dangerous or not. Thanks in advance.
Example of initialization: Sentry.init("https://examplePublicKey#o0.ingest.sentry.io/0")
This is a public address. The DSN string only allows events to be sent to a Sentry project. It doesn't give access to retrieve any data from it nor it can be used to execute any operation on your behalf. If for some reason it gets abused (bogus events start coming in), you can easily discard that DSN and create a new one.
Related
So in order to keep things secure we decided to change the master key of our Parse Server.
Our iOS kept working because it only requires the app id, that was expected but surprisingly our PHP scripts kept running as well, even though they were initialized with the WRONG MasterKey.
Does the Parse PHP SDK completely ignore the master key change?
How could we ever prevent old php scripts who happen to have the an application key to access our Parse and "read" data?
According to the docs:
ParseClient::initialize('YOUR_APP_ID', '', 'YOUR_MASTER_KEY');
ParseClient::setServerURL('http://YOUR_PARSE_SERVER:1337/parse');
1.) Yes, the parse php sdk doesn't do any validation on the master key. The validation occurs on the side of the Parse Server you're running. Essentially the master key exists to allow overriding of ACLs as mentioned in the sdk docs. It is submitted to the server when a request is sent that asks for use of the master key.
Basically, if you make any requests that need to override ACLs and you indicate to use the master key, then the master key will be sent. In other cases the master key is not sent. You can test this out by writing up some quick code that will send the master key, like $object->save(true). In this case your master key should fail if it does not match what is loaded in the server.
2.) You really can't prevent someone from figuring out your App Id. The security you're looking for is not as much on the client's end as it is on the server's. You should be making sure to setup object and class ACLs to restrict access to all objects (and classes) that you do not want to be read (or written to) by arbitrary individuals. Roles are a fairly good way of applying this to a broad set of objects, like restricting access to an Admin role. If you lock your data down it would require someone to compromise an existing account with access to that given data, rather than just use your App Id.
That being said you should always be wary of someone who might manage to grab your master key, as it would allow them to bypass all of those ACLs you setup (keep it safe!).
I hope this helps to clarify the role of the master key for you guys.
My suggestion to you would be the following.
Use RestKey for PHP as your second argument and then IOS you can just use clientKey as your second argument.
Just ensure that you add both restKey and clientKey to your construct server side.
my working swift3 example too!
let configuration = ParseClientConfiguration {
$0.applicationId = PARSE_APP_KEY
$0.clientKey = PARSE_CLIENT_KEY
$0.server = PARSE_URL
$0.isLocalDatastoreEnabled = true
}
Parse.initialize(with: configuration)
EDIT /QUOTE:
If you take a look in ParseClient::initialize the master key is stored in the static var $masterKey. This is used in ParseClient::_getRequestHeaders (when master key use is requested) to provide the X-Parse-Master-Key header with the master key as the value.
The master key is definitely used, but it depends on the request. If $useMasterKey is false for a given request in ParseClient::_request (the default value is false as well) the master key will not be added to the request headers. In such a case the master key will not be used, but this is expected behavior.
this topic is related to one from Java but i cant find solution for C#.
http://theblasfrompas.blogspot.com/2010/01/closing-obsolete-database-change.html
I am using Oracle.ManagedDataAccess.dll with Change Notification.
All works fine but I have one problem. When my application starts I create Database Notification (with Timeout 0 - it must be) and i have handle to OracleDependency.
When my application is stopped I can use this handle to call remove registration in this way:
oracleDependency.RemoveRegistration(connection);
The problem appears when my application crashes in some way and i am unable to call RemoveRegistration method. I lose handle to OracleDependency so after restart application I cant remove obsolete registrations. As always on start application will create new registration but now will exists TWO - one new and one obsolete. In this way my application will get two times notification.
The question is - how to remove obsolete notifications created by my application.
Ok my further investigation is below:
I found on oracle docs that exists static method OracleDependency.GetOracleDependency(string guid)
So after I create oracle dependency I save his Id (seems its guid).
When my app is stopped i can use this method to get my dependency. Unfortunately it didnt work after application restart:/ If i try to get OracleDependency by this Id it return null but it strill exists in USER_CHANGE_NOTIFICATION_REGS
Java implementation to remove all change notification registrations from the database
Statement stmt= conn.createStatement();
ResultSet rs = stmt.executeQuery("select regid,callback from USER_CHANGE_NOTIFICATION_REGS");
while(rs.next())
{
long regid = rs.getLong(1);
String callback = rs.getString(2);
((OracleConnection)conn).unregisterDatabaseChangeNotification(regid,callback);
}
rs.close();
stmt.close();
You need to have ojdbc6/7.jar in class path to execute this code.
Original post:https://community.oracle.com/message/9315024#9315024
Although this is a rather old question I will describe my experience with Oracle CQN just in case it helps someone. The feature works better with java where its easy not only to register but also to unregister the notification.
In .NET if the application crashes there is no way in my experience to unregister the notification with code.
Revoking change notification is not working immediately. Until database restart the registration survived the revoke.
It seems that Oracle removes the registration when there is a problem in communication with the notification receiver. I was able to unregister notifications using this behavior. By turning on the firewall for example!
Another solution I use to unregister the notifications for a particular oracle user is a tool I wrote in java named NotificationRegistrationsCleaner.jar. It can be downloaded from the following link. We call it passing 4 parameters it like this.
java -jar NotificationRegistrationsCleaner.jar [oracle ip] [oracle service] [oracle user] [oracle password]
The tool displays the removed registrations. Far from perfect but its doing the job.
The java code is very similar to #TMtech code described above.
NotificationRegistrationsCleaner.jar
You just can revoke change notification from current user and grant it again. I know, this isn't best solution, but it work.
How do I run/call/kickoff an external program (custom code) whenever certain attributes or objects are added or modified in OpenDJ’s database?
Here is my real world need. (Feel free to change my thought direction entirely).
Whenever a new email address gets created or changed in the OpenDJ database I want to initiate some java code that does some email verification/validation (send the “click here” link with a token to prove the user owns the email they just signed up with).
I know, I could use OpenIDM/AM to accomplish this but to take this a step further I need to validate other information and other credentials (custom) which users supply that are not supported by OpenIDM/AM suites.
Initiating/calling custom code upon ADD or MODIFY of specific objects and attributes is what I want and would like to know how to accomplish this. Preferably without having to scrape logs.
Please Help.
Chad
OpenDJ has a plugin interface where you can plug Java calls on Add or Modify. A sample of this kind of plugin is the attribute uniqueness which verifies that some attributes have a unique value in the directory.
The plugin interface javadoc can be found here : http://docs.forgerock.org/en/opendj/2.6.0/javadoc/org/opends/server/api/plugin/DirectoryServerPlugin.html
After a research it seems that Meteor Sessions are reset after refreshing page or opening the website in new tab, i.e. they are not usual server-side sessions but something like global javascript variables on client-side. Some people advice to use AmplifyJS, but I'm not sure that it will work like usual session in other frameworks/languages and also it is a third party library, so is there any normal way to use sessions in Meteor, i.e. keep user-specific data on server?
At this moment I'm handling that by using custom Collections, but it is not an ideal way of doing that because it is needed to remove expired values from Collection manually, which makes additional troubles.
Yes this is correct. Despite the name Session is nothing like a cookie, but just a reactive form of a variable stored in a hashmap
To keep data persistent across tabs you need to use a Collections (as this is the only way to reactively share data across tabs) - Cookies can't work because they can't be made reactive as data needs to be sent to the server to notify the client when there is a change. There really wouldn't be another way at the moment as the publish/subscribe methods can only send down data from collections at the moment.
You can use your setup you have now with your custom collection. You can use a server side cron job to remove expired data (either with Meteor.setInterval or Tom Coleman's cron.
There is a package developed just for that: https://atmospherejs.com/u2622/persistent-session
After installation you can use the following functions to set sessions which are persistent:
//store a persistent session variable which is stored across templates
Session.setPersistent(key, value);
//same as above, but automatically deletes session data when user logs out
Session.setAuth(key, value);
I've tried the package and it works like charm.
Recently, I have been working on a CredentialProvider in order to unlock automatically (the trigger can be any event, so let’s say the end of a timer) a Windows Vista (or more recent version) user session.
For that I read some useful articles on the subject, the change between GINA and this new architecture. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx.
I think, like everyone in the process of creating a custom CredentialProvider, I didn’t start from scratch but from the sample code provided by Microsoft. And then I tried to change the behaviour (things like logging) in the different functions.
So in the end I can use the custom CredentialProvider, enter the SetUsageScenario methods but still I cannot reach the Set or GetSerialization method. From what I’ve understood in the technical documentation on CredentialProvider (still provided by Microsoft) theses two methods should be called automatically. Is there something I missed ?
Also, my original idea was to get an authentication package using Kerberos in order to perform an implicit user authentication. I got this idea by seeking information on other SO or MSDN threads like
Is this approach the good one ?
Thank you very much for your time answering my questions. Any clarifications are welcomed, even if they don’t directly resolve my problems :-)
First of all - you need to set autologon flag to true in your implementation of the ICredentialProviderCredential::SetSelected(BOOL *pbAutoLogon) and ICredentialProvider::GetCredentialCount methods.
Next, you need to call ICredentialProviderEvents::CredentialsChanged when your timer is hit.
LogonUI will recreate your credentials, and because autologon is set to true it will call your GetSerialization() method.
SetSerialization and GetSerialization functions are called from your provider by LogonUI. After user enters username/password and presses ENTER button, LogonUI calls GetSerialization function and provides a pointer, as one of the four parameters, that will point in future to CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure created and filled by you, and then this structure will be sent from LogonUI to Winlogon to perform authentication. I don't know how to make LogonUI to call GetSerialization from your credential provider code and as far as I know you can't call GetSerialization by your own because where will you pass your filled CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure if no one requested it, but only LogonUI can path it to Winlogon?
There is a document called "Credential Provider Technical Reference", there you can read some details about credential providers. In the Shell samples folder there is a strange folder called "Autologon", maybe it will help you! Good Luck!