Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
public ActionResult ActionName(Model model, string returnurl)
{
// ... controller logic
}
Example 2::The following Razor code creates a form in the resulting HTML without the built-in defense against cross-site request forgery. Note that parameter
@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl })) {
// ... form elements
}
antiforgery
is set to either false
or null
:
@using (Html.BeginForm("actionName", "controllerName", routeValues, FormMethod.Post, antiforgery: false, htmlAtts)) {
// ... form elements
}
NSURLConnectionDelegate.connection(_:willSendRequestFor:)
delegate callback method will make the system ignore the NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
and NSURLConnectionDelegate.connection(_:didReceive:)
methods.NSURLConnectionDelegate.connection(_:willSendRequestFor:)
delegate method allows the delegate to make an informed decision about connection authentication at once. If the delegate implements this method, it has no need to implement NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
or NSURLConnectionDelegate.connection(_:didReceive:)
. In fact, these methods are not invoked, so any security checks on them will be ignored.NSURLConnectionDelegate.connection(_:willSendRequestFor:)
delegate callback method will make the system ignore the NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
and NSURLConnectionDelegate.connection(_:didReceive:)
methods.NSURLConnectionDelegate.connection(_:willSendRequestFor:)
delegate method allows the delegate to make an informed decision about connection authentication at once. If the delegate implements this method, it has no need to implement NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
or NSURLConnectionDelegate.connection(_:didReceive:)
. In fact, these methods are not invoked, so any security checks on them will be ignored.NSURLConnection
object, an NSURLSession
object or an NSURLDownload
object to evaluate the trust chain. NSURLCredential
using a non-evaluated server trust:
-(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * credential)) completionHandler {
...
[challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
...
}
NSURLConnection
object, an NSURLSession
object or an NSURLDownload
object to evaluate the trust chain. NSURLCredential
using a non-evaluated server trust:
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
...
let cred = URLCredential(user: "foo", password: "bar", persistence: .none)
let trust = challenge.protectionSpace.serverTrust
let cred = URLCredential(trust:trust!)
...
}
NSURLConnection
object, NSURLSession
object or an NSURLDownload
object to evaluate the server trust. In order to evaluate the server trust, the SecTrustEvaluate(_:_:)
method should be called with the trust obtained from the serverTrust
method of the server's NSURLProtectionSpace
object. SecTrustEvaluate(_:_:)
method returns two different values:OSStatus
value represents the result code.cancel(_:)
.
SecTrustRef trust = [[challenge protectionSpace] serverTrust];
SecTrustResultType result = kSecTrustResultInvalid;
OSStatus status = SecTrustEvaluate(trust, &result);
completionHandler(NSURLSessionAuthChallengeUseCredential, [challenge proposedCredential]);
NSURLConnection
object, NSURLSession
object or an NSURLDownload
object to evaluate the server trust. In order to evaluate the server trust, the SecTrustEvaluate(_:_:)
method should be called with the trust obtained from the serverTrust
method of the server's NSURLProtectionSpace
object. SecTrustEvaluate(_:_:)
method returns two different values:OSStatus
value represents the result code.cancel(_:)
.
let trust = challenge.protectionSpace.serverTrust
var result = SecTrustResultType.invalid
let status = SecTrustEvaluate(trust!,&secresult)
completionHandler(Foundation.URLSession.AuthChallengeDisposition.useCredential, challenge.proposedCredential)
NSURLConnection
delegate handles authentication challenges without first verifying that the application knows how to handle the authentication challenge for a particular protection space.NSURLProtectionSpace
object represents a server or an area on a server, commonly referred to as a realm, that requires authentication.NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
method will be called right before the call to the NSURLConnectionDelegate.connection(_:didReceive:)
method that should perform the authentication. This allows the NSURLConnectionDelegate
to inspect the protection space before attempting to authenticate against it. By returning true
, the delegate indicates that it can handle the form of authentication, which it does in the subsequent call to connection(_:didReceive:)
. If your delegate does not implement this method and the protection space uses client certificate authentication or server trust authentication, the system will attempt to use the user's keychain to authenticate which may not be the desired behavior.NSURLConnection
delegate handles authentication challenges without first verifying that the application knows how to handle the authentication challenge for a particular protection space.NSURLProtectionSpace
object represents a server or an area on a server, commonly referred to as a realm, that requires authentication.NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)
method will be called right before the call to the NSURLConnectionDelegate.connection(_:didReceive:)
method that should perform the authentication. This allows the NSURLConnectionDelegate
to inspect the protection space before attempting to authenticate against it. By returning true
, the delegate indicates that it can handle the form of authentication, which it does in the subsequent call to connection(_:didReceive:)
. If your delegate does not implement this method and the protection space uses client certificate authentication or server trust authentication, the system will attempt to use the user's keychain to authenticate which may not be the desired behavior.