• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Issue

 
Marut pandey
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There questions are taken from SCEA Study Guide

1) You are the architect for a social networking application that
allows users to leave comments for other users. Recently, a spate
of hacker attacks have disrupted the site, reducing revenue from
site partners and advertising. Of the attack types listed next,
which two can be addressed by ensuring that all special characters/
word sequences are removed from all free text inputs on the
web site?

A. Buffer overflow
B. Cross-site scripting
C. SQL injection
D. Permission errors

As per my understanding the correct answers would be "B" & "C" whereas SCEA book says C and D

2)

Security restrictions in a use-case require that the behavior of an
EJB business method vary according to the role of the user. How
should this be achieved? (Select the best answer.)
A. The deployment descriptor is written using the roles determined
by the programmer.
B. The programmer determines a role reference and uses it in
the code. This is mapped to a role in the deployment
descriptor.
C. The business method determines the role of the user using
JNDI and configuration information in the deployment
descriptor.
D. The business method determines the role of the user using
JAAS and configuration information in the deployment
descriptor.

Correct Answer is 'D' as per Book but why not 'B' is correct because I think it can be done using getCallerPrincipal() and isCallerInRole()

What do you guys think?

 
JigaR Parekh
Ranch Hand
Posts: 112
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For question 1, it is printing mistake, if you read explanation then you will find your answer B & C are correct.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As to #2, note that it says "the best answer" - in other words, only a single one. While it's unclear what, exactly, best means in this context, approach D is more flexible than B, and more amenable to changes.
 
Dmitri Ericsson
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In 2nd question there is unclear about some references and mapping. The truth is that the roles are configured in the deployment descriptor and then used from there, without any mapping.
Groups are generally mapped to roles, but this is another story.
 
Teja Saab
Rancher
Posts: 152
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JigaR Parekh wrote:For question 1, it is printing mistake, if you read explanation then you will find your answer B & C are correct.


JigaR is right. Not just this. There are several typing mistakes in the Cade book (new version) in almost all chapters. Read the explanation rather than looking at the answer provided. The proof reader obviously did a lousy job.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic