I had seen the answers of the questions related to mine .But still I am not sure how to store the user information taken from Qt dialogue box on file and then encrypt it ,so that no one else can read it .The other thing is that how to match the password and user name which is pre-specified in the file I had encrypted earlier..
if i understand you correctly, you just want to make an application that asks for authentication at application start-up, correct?
If that is the case, it is easy. The basic steps are as follows.
Keep the username and password in a file (since Unix does not have a registry). The file does not need to be encrypted at all (plain text will do). You can use xml for this. The data (text) in the xml file however that you write (the data... not the tags) should be written such that the strings that you write into the file are encrypted using a hash. Just look up hashing in C++ (SHA, MD5, etc). The decription/encrytion key can be hard coded in you application.
Then for the application logic. The first thing you show the user is the login window. If they fail loop it or exit application. Basically only when correct authentication info is provided you kill the login windows and kick-start the main application window.
Perhaps you should take a look at the QCA examples.
They have some nice examples of how-to use crypto in similar situations.
QCA is not standard in Qt but can be added on all platforms.
Related
I'm developing an application that uses SQLite for its data files. I'm just linking in the SQLite amalgamation source, using it directly.
If the user chooses to create a new file, I check to see if the file already exists, ask the user if they want to overwrite the file, and delete it if they say yes. Then I call sqlite3_open_v2() with flags set to SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE to create and open the new data file.
Which is fine, except, what happens if a malicious user recreates the file I'm trying to open in between the file being deleted and SQLite opening it? As far as I'm aware, SQLite will just open the existing file.
My program doesn't involve passwords or any kind of security function whatsoever. It's a pretty simple app, all things considered. However, I've read plenty of stories where someone uses a simple app with an obscure bug in it to bypass the security of some system.
So, bottom line, is there a way to make sqlite3_open() fail if the file already exists?
You might be able to patch in support for the O_EXCL option flag of open(2). If you are using SQLite on a platform that supports that.
I need to store my user id and password in a python variable file in robot framework. This credential will be utilized to login to website to test it. No other person should be able to view my credential (even in git also). Hence, I have to lock this variable file. Is there any way to lock this python variable file?
Due to their nature Source Code Repository systems are public in nature. So, either you lock the repository or it's open to everyone. This makes storing any type of sensitive data in such a system a bad idea.
For these types of information it is typically best to have a separate file and refer to that file when executing the run. In Robot Framework this can be done using Variable files. These can be referred to using the Variables myvariables.<ext>. There is support for Python and YAML files.
Securing these files can be as easy as placing them in a location that only few can access to setting up tools to store them encrypted and only make them available when having the right key. This is a separate topic on it's own with it's own challenges.
We have a Qt app that when it starts tries to connect to a servlet to get config parameters that it needs to keep running.
The URL may change frequently because we have to test the application in several environments. Right now (as a temporary solution) the URL is a constant in source code, but it is a little bit ugly.
Where is the best place to mainting this URL, so that we do not need to change the source code every time I want to change the environment target?
In a database table maybe (my application uses a SQLite DB), in a settings file, or in some other way?
Thank you for you replies.
You have a number of options:
Hard coded (like you have already)
Run-time user input
Command line arguments
QSettings
Read from a bespoke file as text.
I would think option 3 would be the most simple to implement without being intrusive, but it does depend on what kind of application you have.
I would keep the list of url in a document, e.g. a XML, stored in a central, well known place, e.g. a known web server, and hardcode the url of the known place in the app.
The list could then be edited externally without recompiling your app;
The app would at startup download and parse the list, pointing to the right servlet based upon an environment specified as a command line parameter.
Is there a file upload control for ASP.Net which performs a client-side checksum calculation (CRC, MD5, etc) on the file contents and transmits the checksum to allow for server-side checksum validation?
I have looked through answers on several file upload questions, but did not find this feature mentioned anywhere.
From javascript you won't be able to detect the size of a file in the client computer. Javascript runs inside a sandbox and cannot access local system files, which will be a ecurity violation.
You can use silverlight and can get the file size and calculate the sum. You can check this
Silverlight File Uplaod
You'll need some client code to open your file, compute that check sum and to post it to your webserver with your file content; you can't do that with plain javascript, as you're not supposed to have access to your user filesystem.
But, just like #Dan Herbert commented out into your question, to use a client application like Flash, Java applet or Silverlight to execute that. I just wanted to make a more complete answer and to explain why you can't do that.
(y/N)
Edit: Read-only access is fine.
I haven't tried this yet, but I think I've found a workaround.
Adobe AIR cannot write to Windows Registry, but you can, however, launch a native process in AIR 2. Here's a blog post that shows how to do that: http://www.adobe.com/devnet/air/flex/quickstart/articles/interacting_with_native_process.html
Now, on Windows, you are able to modify the Windows registry with .reg files. .reg files are just plain text files that's read by regedit.exe. So in theory, you can write a .reg file to the file system, then launch regedit.exe with the .reg file passed in and...TADA! You just modified Windows registry from your AIR app!
To read value, you can use regedit's export function to write to a reg file and read from the reg file. Details to regedit's options: http://www.robvanderwoude.com/regedit.php
Here are some additional resources:
.reg file syntax: http://support.microsoft.com/kb/310516
write to file with AIR: http://www.adobe.com/devnet/air/flex/articles/exploring_file_capabilities.html
If your willing to force the user to also install another application, you could write a small C# or C++ windows service that simply opens a Socket that provides some kind of protocol for accessing the registry. Then in AIR you can use the Socket class to send messages to/from the C# service that would return results to the AIR app.
When the app loads you can try to connect to the Socket, and if the connection is rejected you could prompt the user to download/install the service.
As for direct access to the registry I am pretty sure Adobe wouldn't allow that from AIR.
If you can I'd be horrified.
Why would you be horrified?
Air is a desktop platform, and having access to the OS's APIs (such as registry access) makes plenty of sense.
That being said, it isn't supported now (and as Adobe seem to be very Mac-centric, I doubt it will ever be added).
I have settled on grabbing the users name from the name of the user directory
Using File.userDirectory.name will work in most cases, but it seems like a very fragile implementation, it relies on the OS maintaining the convention of having the username as their directory. I can think of a few possible things that might break it (playing with TweakUI etc).
Here is a sample of modifying Windows Registry in Adobe Air using NativeProcess and Python. So you can Add, Delete or Read keys by only a single line of code !!
Download: Adobe Air Registry Modifier on Github
Are you trying to determine if the user is an administrator or not?
If so you could grad the username by with "File.userDirectory.name".
And I think to figure out if the user is an administrator you could probably try to access a file that requires administrator privileges (maybe try writing a file to Windows/System32). If the file access fails you could probably assume that the user is under a Limited account.
A bit late, but I got a wish from a client to read some values from the registry when the project was almost finished. If there were more of these types of wishes, I would have never choosen AIR. But I found a nice extension from FluorineFx, and by extending it, I can now read string and dword values from the registry. Windows only: http://aperture.fluorinefx.com/
You could theoretically modify the actual registry files, but I would highly discourage that idea.
Be very careful if you decide to create a socket server that listens for registry commands. You are potentially creating a security hole and users' personal firewalls may get in the way in terms of usability.