Search your topic in Java2share
Home > SCWCD > SCWCD Question Bank
eXTReMe Tracker


5. Web Application Security (SCWCD)

Objectives
1. Based on the servlet specification, compare and contrast the following security mechanisms: (a) authentication, (b) authorization, (c) data integrity, and (d) confidentiality.
2. In the deployment descriptor, declare a security constraint, a Web resource, the transport guarantee, the login configuration, and a security role.
3. Compare and contrast the authentication types (BASIC, DIGEST, FORM, and CLIENT-CERT); describe how the type works; and given a scenario, select an appropriate type.

Q1. Given:

3. class MyServlet extends HttpServlet {
4. public void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException,
IOException {
5. // servlet code here ...
26. }
27. }

If the DD contains a single security constraint associated with MyServlet and its only <http-method> tags
and <auth-constraint> tags are:
<http-method>GET</http-method>
<http-method>PUT</http-method>
<auth-constraint>Admin</auth-constraint>

Which four requests would be allowed by the container? (Choose four.)

A. A user whose role is Admin can perform a PUT.
B. A user whose role is Admin can perform a GET.
C. A user whose role is Admin can perform a POST.
D. A user whose role is Member can perform a PUT.
E. A user whose role is Member can perform a POST.
F. A user whose role is Member can perform a GET.

Answer: A, B, C, E

Q2. What is true about Java EE authentication mechanisms?
A.  If your deployment descriptor correctly declares an authentication type of CLIENT_CERT, your users must have a certificate from an official source before they can use your application.

B.   If your deployment descriptor correctly declares an authentication type of BASIC, the container automatically requests a user name and password whenever a user starts a new session.

C. If you want your web application to support the widest possible array of browsers, and you want to perform authentication, the best choice of Java EE authentication mechanisms is DIGEST.

D. To use Java EE FORM authentication, you must declare two HTML files in your deployment descriptor, and you must use a predefined action in the HTML file that handles your user's login.
Answer: D

Q3. If you want to use the Java EE platform's built-in type of authentication that uses a custom HTML page for authentication, which two statements are true? (Choose two.)

A. Your deployment descriptor will need to contain this tag:
<auth-method>CUSTOM</auth-method>.
B. The related custom HTML login page must be named loginPage.html.
C. When you use this type of authentication, SSL is turned on automatically.
D. You must have a tag in your deployment descriptor that allows you to point to both a login HTML page and an HTML page for handling any login errors.
E. In the HTML related to authentication for this application, you must use predefined variable names for the variables that store the user and password values.

Answer: D, E

Q4. Given this fragment in a servlet:
23. if(req.isUserInRole("Admin")) {
24. // do stuff
25. }
And the following fragment from the related Java EE deployment descriptor:
812. <security-role-ref>
813. <role-name>Admin</role-name>
814. <role-link>Administrator</role-link>
815. </security-role-ref>
900. <security-role>
901. <role-name>Admin</role-name>
902. <role-name>Administrator</role-name>
903. </security-role>
What is the result?

A. Line 24 can never be reached.
B. The deployment descriptor is NOT valid.
C. If line 24 executes, the user's role will be Admin.
D. If line 24 executes, the user's role will be Administrator.
E. If line 24 executes the user's role will NOT be predictable.

Answer: D