Abstract: Managing file distribution in an online file sharing system implemented by at least one server includes inviting a first entity to access a shared file hosted by the online file sharing system, and allowing the first entity to reshare the shared the through the online file sharing system with at least a second entity only to an extent permitted by a resharing policy stored by the online file sharing system.

Abstract: A query for a tag within the collaborative tagging system is received. The query can specify at least one attribute of the tag and a particular selected artifact, wherein the attribute includes a security level of a user who created the tag. Tag records that match the query can be determined as query results. Access control privileges can be applied to the query results. Applying the access control privileges can include filtering the tag records by removing tag records that have an assigned security level exceeding a security level of a user that initiated the query. At least a portion of each tag record in the query results that has a security level that does not exceed the security level of the user that initiated the query can be written to a display.

Abstract: A query for a tag within the collaborative tagging system is received. The query can specify at least one attribute of the tag and a particular selected artifact, wherein the attribute includes a security level of a user who created the tag. Tag records that match the query can be determined as query results. Access control privileges can be applied to the query results. Applying the access control privileges can include filtering the tag records by removing tag records that have an assigned security level exceeding a security level of a user that initiated the query. At least a portion of each tag record in the query results that has a security level that does not exceed the security level of the user that initiated the query can be written to a display.

Abstract: A computer-implemented method of employing organizational context within a collaborative tagging system can include receiving at least one tag for an artifact from a user, determining at least one attribute of the user, and storing a tag record including the tag, the attribute of the user, and an association of the tag with the artifact.

Abstract: A technique to provide runtime output sanitization filtering of web application content that contains multiple contexts in which dynamic output is included. To facilitate this operation, dynamically-generated content is prepared for sanitization in advance, preferably by being “marked” by the web application itself (or by middleware). Preferably, given dynamically-generated content is marked by enclosing it between dynamic content indicators. After the document generation is completed but before it is output, the application-generated content is processed by a content sanitization filter. The filter uses the dynamic content identifiers to identify and locate the content that needs output escaping. The filter detects the appropriate context within which the dynamically-generated content has been placed and applies escaping. The output content is prepared for escaping in advance even if assembled from multiple sources that do not operate in the same runtime environment.

Abstract: A technique to provide runtime output sanitization filtering of web application content that contains multiple contexts in which dynamic output is included. To facilitate this operation, dynamically-generated content is prepared for sanitization in advance, preferably by being “marked” by the web application itself (or by middleware). Preferably, given dynamically-generated content is marked by enclosing it between dynamic content indicators. After the document generation is completed but before it is output, the application-generated content is processed by a content sanitization filter. The filter uses the dynamic content identifiers to identify and locate the content that needs output escaping. The filter detects the appropriate context within which the dynamically-generated content has been placed and applies escaping. The output content is prepared for escaping in advance even if assembled from multiple sources that do not operate in the same runtime environment.

Abstract: Embodiments of the present invention provide a method, system and computer program product for supporting weak password authentication in a multi-user application environment. In an embodiment of the invention, a method for supporting weak password authentication in a multi-user application environment can be provided. The method can include acquiring log in data for a log in attempt by an end user amongst end users in a multi-user application. The method also can include messaging the log in data to others of the end users for subjective analysis by the others of the end users in detecting an unauthorized log in attempt.

Abstract: A computer-implemented method includes: receiving a declaration of a variable as a secret type for source code; designating a data record including the variable as secret; creating metadata for the data record, wherein the metadata for the data record labels the data record as secret; allocating a first memory buffer for the data record; updating metadata for the first memory buffer to label the first memory buffer as secret; and if, while executing the source code, the data record is copied from the first memory buffer to a second memory buffer whose metadata labels the second memory buffer as other than secret, updating metadata for the second memory buffer to label the second memory buffer as secret.

Abstract: Source code verification, including receiving a declaration of a variable as a secret type, determining if any source code is configured to use the variable as a type other than secret, and if it is determined that there is source code that will use the variable as a type other than secret, creating an exception in the source code verification process.

Abstract: A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.

Abstract: Managing file distribution in an online file sharing system implemented by at least one server includes inviting a first entity to access a shared file hosted by the online file sharing system, and allowing the first entity to reshare the shared the through the online file sharing system with at least a second entity only to an extent permitted by a resharing policy stored by the online file sharing system.

Abstract: Embodiments of the present invention provide a method, system and computer program product for supporting weak password authentication in a multi-user application environment. In an embodiment of the invention, a method for supporting weak password authentication in a multi-user application environment can be provided. The method can include acquiring log in data for a log in attempt by an end user amongst end users in a multi-user application. The method also can include messaging the log in data to others of the end users for subjective analysis by the others of the end users in detecting an unauthorized log in attempt.

Abstract: Managing file distribution in an online file sharing system implemented by at least one server includes inviting a first entity to access a shared file hosted by the online file sharing system, and allowing the first entity to reshare the shared file through the online file sharing system with at least a second entity only to an extent permitted by a resharing policy stored by the online file sharing system.

Abstract: These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.

Abstract: An embodiment of the invention includes initially registering information with a data system, wherein the registered information pertains to a user of a mobile device and includes credential information, and further includes a message address associated with the user. An enrollment request, together with the specified credential information, is sent to a management server. Responsive thereto, the server sends a message of specified type to the message address associated with the user, wherein such message includes a pin code. The pin code is then sent from the device to the server, and responsive to receiving the pin code, the server is operated to deliver a security token, for use in authenticating the mobile device to selectively access the particular data processing system.

Abstract: Embodiments of the present invention provide a method, system and computer program product for supporting weak password authentication in a multi-user application environment. In an embodiment of the invention, a method for supporting weak password authentication in a multi-user application environment can be provided. The method can include acquiring log in data for a log in attempt by an end user amongst end users in a multi-user application. The method also can include messaging the log in data to others of the end users for subjective analysis by the others of the end users in detecting an unauthorized log in attempt.

Abstract: Source code verification, including receiving a declaration of a variable as a secret type, determining if any source code is configured to use the variable as a type other than secret, and if it is determined that there is source code that will use the variable as a type other than secret, creating an exception in the source code verification process.

Abstract: These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.

Abstract: A method for decomposing a web application into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain.

Abstract: These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.