websec | git repository contains W3C Web Security documents | Identity Management library

All,

Our IT dept has decided to change the suffix of our users in AD by adding a different suffix to the userPrincipalName in AD to the actual domain being used.

e.g. our domain is xxx.com but userPrincipalName is now "usera@zzz.tech" whereas before it was "usera@xxx.com".

The Spring LDAP AD authentication no longer works with this because of this reason I think: userPrincipalName is built up using name + domain when it tries to authenticate.

I need to override this somehow - but keep with Spring security version 3.1 (ideally !)

This is the security bean we use

Given the following:

We have an application which is built using Angular. And the application trigger backend REST api to display data.

The issue was,

The application use LDAP SSO authentication to validate user (It is an internal application within company so no outside users)

The steps are,

1. If user launch the site, It will redirect to WebSec login where user provides username and password for authentication (Implicit flow).

2. Once the successful authentication, we will JWT access token from WebSec which will be stored in session storage and that will be used as "Bearer" token for backend services.

3. The backend service has its WebSec certificate to validate this JWT token at their side if not it will respond with Authentication error.

For Front end - We are using Angular For back end - We are Java, Sprint boot.

Questions are,

1. Is this right way for User authentication?
2. If so, how safe is the Implicit flow. Ref: https://www.instagram.com/developer/authentication/ - Everyone is recommending Explicit flow (Server side call). Our UI app is maintained in different server and Backend services are maintained different server.

I would appreciate if anyone provide solution on this.

I am currently writing a python script that restores a Joomla website. Its actually based on the on the flaws posted here.

I suspect the PHP script that I am targeting isn't supposed to be called directly. When I run my script against it, it returns this,

And here is the function I suspect is responsible!

I got this current code of Github(@Cahlen Humphreys) and initially it wasn't working but after minor changes it runs for encryption,

but decryption gives me the following error:

...

I have a problem that my current php send duplicate emails using PHPMailer. The php file is to be run by a cronjob, but for we just run it manually.

I tried $mail->ClearAddresses(); but that didn't seem to help.

When we vardump $mail; but it looks like it is only sent once, and our "Message has been sent" message is only being printed once pr email adress in our database.

We also tried select distinct which was suggested in another thread, but it seemed to have no effect.

We also tried adding a counter to different places of the script, but it displayed the correct number of iterations.

We get email adresses from a database of users. We then want to check these email adresses in a api and return number of breaches.

The problem is that now it seems like it only checks the first email adress. When we have more than one, the first gets the correct number of breaches, the second only gets 0.