wood burning stoves 2.0*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Security Issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Security Issue" Watch "Security Issue" New topic
Author

Security Issue

Marut pandey
Ranch Hand

Joined: Mar 10, 2008
Posts: 43
There questions are taken from SCEA Study Guide

1) You are the architect for a social networking application that
allows users to leave comments for other users. Recently, a spate
of hacker attacks have disrupted the site, reducing revenue from
site partners and advertising. Of the attack types listed next,
which two can be addressed by ensuring that all special characters/
word sequences are removed from all free text inputs on the
web site?

A. Buffer overflow
B. Cross-site scripting
C. SQL injection
D. Permission errors

As per my understanding the correct answers would be "B" & "C" whereas SCEA book says C and D

2)

Security restrictions in a use-case require that the behavior of an
EJB business method vary according to the role of the user. How
should this be achieved? (Select the best answer.)
A. The deployment descriptor is written using the roles determined
by the programmer.
B. The programmer determines a role reference and uses it in
the code. This is mapped to a role in the deployment
descriptor.
C. The business method determines the role of the user using
JNDI and configuration information in the deployment
descriptor.
D. The business method determines the role of the user using
JAAS and configuration information in the deployment
descriptor.

Correct Answer is 'D' as per Book but why not 'B' is correct because I think it can be done using getCallerPrincipal() and isCallerInRole()

What do you guys think?

JigaR Parekh
Ranch Hand

Joined: May 23, 2005
Posts: 112
For question 1, it is printing mistake, if you read explanation then you will find your answer B & C are correct.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41506
    
  53
As to #2, note that it says "the best answer" - in other words, only a single one. While it's unclear what, exactly, best means in this context, approach D is more flexible than B, and more amenable to changes.


Ping & DNS - my free Android networking tools app
Dmitri Ericsson
Ranch Hand

Joined: Feb 16, 2010
Posts: 109
In 2nd question there is unclear about some references and mapping. The truth is that the roles are configured in the deployment descriptor and then used from there, without any mapping.
Groups are generally mapped to roles, but this is another story.


SCEA 5, SCJP 6 My SCEA Experience
Teja Saab
Rancher

Joined: Mar 08, 2010
Posts: 152
JigaR Parekh wrote:For question 1, it is printing mistake, if you read explanation then you will find your answer B & C are correct.


JigaR is right. Not just this. There are several typing mistakes in the Cade book (new version) in almost all chapters. Read the explanation rather than looking at the answer provided. The proof reader obviously did a lousy job.


SCEA 5, SCJD,SCWCD,SCJP,PMP,IBM-SOA Solution designer,IBM-XML
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Issue