Q.1 Which of the following correctly defines data integrity? (Select one)
a. It guarantees that information is accessible only to certain users.
b. It guarantees that the information is kept in encrypted form on the server.
c. It guarantees that unintended parties cannot read the information during transmission between the client and the server.
d. It guarantees that the information is not altered during transmission between the client and the server.
a. It guarantees that information is accessible only to certain users.
b. It guarantees that the information is kept in encrypted form on the server.
c. It guarantees that unintended parties cannot read the information during transmission between the client and the server.
d. It guarantees that the information is not altered during transmission between the client and the server.
Answer: d Explanation
Answers a and c describe authorization and confidentiality. Encrypting data kept on the server may be part of some security plans, but is not covered by the servlet specification.
Answers a and c describe authorization and confidentiality. Encrypting data kept on the server may be part of some security plans, but is not covered by the servlet specification.
Q.2 What is the term for determining whether a user has access to a particular resource? (Select one)
a. Authorization
b. Authentication
c. Confidentiality
d. Secrecy
a. Authorization
b. Authentication
c. Confidentiality
d. Secrecy
Answer: a Explanation
Authentication is the process of identifying a user. Confidentiality ensures that third parties cannot eavesdrop on client-server communication. Encrypting communications between the client and server can prevent secrecy attacks.
Authentication is the process of identifying a user. Confidentiality ensures that third parties cannot eavesdrop on client-server communication. Encrypting communications between the client and server can prevent secrecy attacks.
Q.3 Which one of the following must be done before authorization takes place? (Select one)
a. Data validation
b. User authentication
c. Data encryption
d. Data compression
a. Data validation
b. User authentication
c. Data encryption
d. Data compression
Answer: b Explanation
First, a user is authenticated. Once the identity of the user is determined using any of the authentication mechanisms, authorization is determined on a per resource basis.
First, a user is authenticated. Once the identity of the user is determined using any of the authentication mechanisms, authorization is determined on a per resource basis.
Q.4 Which of the following actions would you take to prevent your web site from being attacked? (Select three)
a. Block network traffic at all the ports except the HTTP port.
b. Audit the usage pattern of your server.
c. Audit the Servlet/JSP code.
d. Use HTTPS instead of HTTP.
e. Design and develop your web application using a software engineering methodology.
f. Use design patterns.
b. Audit the usage pattern of your server.
c. Audit the Servlet/JSP code.
d. Use HTTPS instead of HTTP.
e. Design and develop your web application using a software engineering methodology.
f. Use design patterns.
Answers: a, c, and d Explanation
Answer a is correct because this will prevent network congestion and will close all possible entry points to the server except HTTP. Answer b seems correct, but it is wrong because auditing the usage pattern will help you in finding out the culprits only after the site has been attacked—it will not prevent an attack. Answer c is correct because auditing the Servlet/JSP code will ensure that no malicious code exists inside your server that can open a backdoor for hackers. Answer d is correct because HTTPS will prevent hackers from sniffing the communication between the clients and the server, thereby preventing the leakage of sensitive information such as usernames and passwords. Answers e and f are good for developing an industrial-strength system but are not meant for making a system attack proof.
Answer a is correct because this will prevent network congestion and will close all possible entry points to the server except HTTP. Answer b seems correct, but it is wrong because auditing the usage pattern will help you in finding out the culprits only after the site has been attacked—it will not prevent an attack. Answer c is correct because auditing the Servlet/JSP code will ensure that no malicious code exists inside your server that can open a backdoor for hackers. Answer d is correct because HTTPS will prevent hackers from sniffing the communication between the clients and the server, thereby preventing the leakage of sensitive information such as usernames and passwords. Answers e and f are good for developing an industrial-strength system but are not meant for making a system attack proof.
Q.5. Identify the authentication mechanisms that are built into the HTTP specification. (Select two)
a. Basic
b. Client-Cert
c. FORM
d. Digest
e. Client-Digest
f. HTTPS
b. Client-Cert
c. FORM
d. Digest
e. Client-Digest
f. HTTPS
Answers: a and d Explanation
The HTTP specification only defines Basic and Digest authentication mechanisms.
The HTTP specification only defines Basic and Digest authentication mechanisms.
Q.6 Which of the following deployment descriptor elements is used for specifying the
authentication mechanism for a web application? (Select one)
authentication mechanism for a web application? (Select one)
a. security-constraint
b. auth-constraint
c. login-config
d. web-resource-collection
b. auth-constraint
c. login-config
d. web-resource-collection
Answer: c Explanation
The authentication mechanism is specified using the login-config element; for example:
The authentication mechanism is specified using the login-config element; for example:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>sales</realm-name>
<form-login-config>
<form-login-page>/formlogin.html</form-login-page>
<form-error-page>/formerror.html</form-error-page>
</form-login-config>
</login-config>
<auth-method>FORM</auth-method>
<realm-name>sales</realm-name>
<form-login-config>
<form-login-page>/formlogin.html</form-login-page>
<form-error-page>/formerror.html</form-error-page>
</form-login-config>
</login-config>
The security-constraint, auth-constraint, and web-resource-collection elements are used for specifying the authorization details of the resources.
Q.7 Which of the following elements are used for defining a security constraint? Choose only those elements that come directly under the security constraint element. (Select three)
a. login-config
b. role-name
c. role
d. transport-guarantee
e. user-data-constraint
f. auth-constraint
g. authorization-constraint
h. web-resource-collection
b. role-name
c. role
d. transport-guarantee
e. user-data-constraint
f. auth-constraint
g. authorization-constraint
h. web-resource-collection
Answers: e, f, and h Explanation
Remember that, logically, you need three things to define a security constraint: a collection of resources (i.e., web-resource-collection), a list of roles who are authorized to access the collection of resources (i.e., auth-constraint), and finally, the way the application data has to be transmitted between the clients and the server (i.e., user-data-constraint).
Remember that, logically, you need three things to define a security constraint: a collection of resources (i.e., web-resource-collection), a list of roles who are authorized to access the collection of resources (i.e., auth-constraint), and finally, the way the application data has to be transmitted between the clients and the server (i.e., user-data-constraint).
The following is the definition of the security-constraint element:
<!ELEMENT security-constraint (display-name?, web-resource-collection+, auth- constraint?, user-data-constraint?)>
<!ELEMENT security-constraint (display-name?, web-resource-collection+, auth- constraint?, user-data-constraint?)>
Q.8 Which of the following web.xml snippets correctly identifies all HTML files under the sales directory? (Select two)
a. <web-resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
</web-resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
</web-resource-collection>
b. <resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
</resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
</resource-collection>
c. <resource-collection>
<resource-name>reports</resource-name>
<url-pattern>/sales/*.html</url-pattern>
</resource-collection>
<resource-name>reports</resource-name>
<url-pattern>/sales/*.html</url-pattern>
</resource-collection>
d. <web-resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<web-resource-name>reports</web-resource-name>
<url-pattern>/sales/*.html</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
Answers: a and d Explanation
A collection of web resources is defined using the web-resource-collection element, which is defined as follows:
A collection of web resources is defined using the web-resource-collection element, which is defined as follows:
<!ELEMENT web-resource-collection (web-resource-name, description?, url-pattern*, http-method*)>
Observe that http-method is optional. The absence of the http-method element is equivalent to specifying all HTTP methods.
Q.9 You want your PerformanceReportServlet to be accessible only to managers. This servlet generates a performance report in the doPost() method based on a FORM submitted by a user. Which of the following correctly defines a security constraint for this purpose? (Select one)
a. <security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
b. <security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<accessibility>
<role-name>manager</role-name>
</accessibility>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<accessibility>
<role-name>manager</role-name>
</accessibility>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
c. <security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<accessibility>
<role-name>manager</role-name>
</accessibility>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<accessibility>
<role-name>manager</role-name>
</accessibility>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
d. <security-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<web-resource-collection>
<web-resource-name>performance report</web-resource-name>
<url-pattern>/servlet/PerformanceReportServlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
Explanation
Since the question states that the servlet generates the report in the doPost() method, either the <http-method> must specify POST or there should be no <http-method> (which means the restriction applies to all the methods). Thus, answer a is incorrect. Further, the question states that the report should be accessible only to managers. This needs to be specified using the <auth-constraint> element. There is no such element as <accessibility>. Therefore, answers b and c are incorrect. Answer d is correct because both of the above requirements are satisfied. The question does not say anything about the <user-data-constraint> element, which is optional anyway.
Since the question states that the servlet generates the report in the doPost() method, either the <http-method> must specify POST or there should be no <http-method> (which means the restriction applies to all the methods). Thus, answer a is incorrect. Further, the question states that the report should be accessible only to managers. This needs to be specified using the <auth-constraint> element. There is no such element as <accessibility>. Therefore, answers b and c are incorrect. Answer d is correct because both of the above requirements are satisfied. The question does not say anything about the <user-data-constraint> element, which is optional anyway.
Q.10 Which of the following statements regarding authentication mechanisms are correct?
(Select two)
(Select two)
a. The HTTP Basic mechanism transmits the username/password “in the open.”
b. The HTTP Basic mechanism uses HTML FORMs to collect usernames/passwords.
c. The transmission method in the Basic and FORM mechanisms is the same.
d.The method of capturing the usernames/passwords in the Basic and FORM mechanisms is the same.
b. The HTTP Basic mechanism uses HTML FORMs to collect usernames/passwords.
c. The transmission method in the Basic and FORM mechanisms is the same.
d.The method of capturing the usernames/passwords in the Basic and FORM mechanisms is the same.
Answers: a and c Explanation
The HTTP Basic mechanism uses a browser-specific way (usually a dialog box) to capture the username and password, while the FORM mechanism uses an HTML FORM to do the same. However, both mechanisms transmit the captured values in clear text without any encryption. Therefore, answers a and c are correct.
The HTTP Basic mechanism uses a browser-specific way (usually a dialog box) to capture the username and password, while the FORM mechanism uses an HTML FORM to do the same. However, both mechanisms transmit the captured values in clear text without any encryption. Therefore, answers a and c are correct.
Q.11 Which of the following statements are correct for an unauthenticated user? (Select two)
a. HttpServletRequest.getUserPrincipal() returns null.
b. HttpServletRequest.getUserPrincipal() throws SecurityException.
c. HttpServletRequest.isUserInRole() returns false.
d. HttpServletRequest.getRemoteUser() throws a SecurityException.
b. HttpServletRequest.getUserPrincipal() throws SecurityException.
c. HttpServletRequest.isUserInRole() returns false.
d. HttpServletRequest.getRemoteUser() throws a SecurityException.
Answers: a and c Explanation
None of the three methods—getUserPrincipal(), isUserInRole(), and getRemoteUser()—throws an exception. We suggest you read the description of these methods in the JavaDocs.
None of the three methods—getUserPrincipal(), isUserInRole(), and getRemoteUser()—throws an exception. We suggest you read the description of these methods in the JavaDocs.
No comments:
Post a Comment