1) You are the architect for a social networking application that
allows users to leave comments for other users. Recently, a spate
of hacker attacks have disrupted the site, reducing revenue from
site partners and advertising. Of the attack types listed next,
which two can be addressed by ensuring that all special characters/
word sequences are removed from all free text inputs on the
A. Buffer overflow
B. Cross-site scripting
C. SQL injection
D. Permission errors
As per my understanding the correct answers would be "B" & "C" whereas SCEA book says C and D
Security restrictions in a use-case require that the behavior of an
EJB business method vary according to the role of the user. How
should this be achieved? (Select the best answer.)
A. The deployment descriptor is written using the roles determined
by the programmer.
B. The programmer determines a role reference and uses it in
the code. This is mapped to a role in the deployment
C. The business method determines the role of the user using
JNDI and configuration information in the deployment
D. The business method determines the role of the user using
JAAS and configuration information in the deployment
Correct Answer is 'D' as per Book but why not 'B' is correct because I think it can be done using getCallerPrincipal() and isCallerInRole()
As to #2, note that it says "the best answer" - in other words, only a single one. While it's unclear what, exactly, best means in this context, approach D is more flexible than B, and more amenable to changes.
In 2nd question there is unclear about some references and mapping. The truth is that the roles are configured in the deployment descriptor and then used from there, without any mapping.
Groups are generally mapped to roles, but this is another story.
JigaR Parekh wrote:For question 1, it is printing mistake, if you read explanation then you will find your answer B & C are correct.
JigaR is right. Not just this. There are several typing mistakes in the Cade book (new version) in almost all chapters. Read the explanation rather than looking at the answer provided. The proof reader obviously did a lousy job.