Java and JEE Security is a key and a complex topic that spans across multiple knowledge areas. Hence, most candidates find it difficult to prepare for, as well as answer confidently, interview questions on security.
You can systematically prepare for interview questions on security by separating them into different focus areas - Security features provided in Java programming language, Security features provided in JVM, Security features provided in Java SE and Security features provided in Java EE.
You can find the security questions on Java and JVM at the Core Java Security Interview Questions and Answers page.
Below questions focuses on the security features provided in Java SE and Java EE.
Declarative Security - Declarative security specifies an application's security requirements by using either deployment descriptors or annotations.
Programmatic Security - Programmatic security implements an application's security within the application code.
Following are the key characteristics of application security.
Authentication - Authentication is the means by which a user or client proves to a server that it is authorized to access a specific resource and vice-versa.
Authorization - Authorization is the means by which a server determines if a user has permissions to access a specific resource or data.
Data Integrity - Data integrity means that the data that is exchanged by a client and server is not modified by an unauthorized third party.
Confidentiality or Data privacy - This ensures that information is send to only those users or clients that are authorized to access the data.
Non-repudiation - This means that you can prove that a transaction or action has occurred. So a user who has performed a certain action, cannot deny doing so.
Java Authentication and Authorization Service (JAAS) - Java SE provides the JAAS API which enable services to authenticate and enforce access controls. JAAS forms the underlying and base technology for Java EE security mechanisms.
Java Generic Security Services (JGSS) - Java SE provides the JGSS API which is used to securely exchange messages between applications by using tokens.
Java Cryptography Extension (JCE) - Java SE provides the JCE API which provides a framework and implementation for encryption, key generation and key agreement.
Java Secure Sockets Extension (JSSE) - Java SE provides the JSSE API which provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. JSSE includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.
Simple Authentication and Security Layer (SASL) - SASL is an Internet standard that specifies a protocol for authentication and optional establishment of a security layer between client and server applications.
Java SE also provides a set of tools for managing keystores, certificates, and policy files; generating and verifying JAR signatures; and obtaining, listing, and managing Kerberos tickets.
Java EE provides three different security mechanisms based on the layer at which the security has to be applied.
Application-Layer Security - In Java EE applications, the application-layer security is provided by the component containers.
Transport-Layer Security - Transport-Layer security is provided by the transport mechanism used to transmit data between the client and server. Java EE application relies on the secure HTTPS protocol using Secure Sockets Layer (SSL).
Message-Layer Security - Message-Layer security secures the SOAP messages that are exchanged between client and server using XML web services.
Realms - Realms are security domains or protection spaces setup for web or application servers. Each realm has its own authentication scheme and contains a collection of Users and Groups.
Users - Users are individual or application entities defined in an identity store that access the application resources.
Group - Groups are abstratct entities defined in Java EE that contains a set of users having common traits.
Roles - Roles are are abstratct entities defined in Java EE that has permissions to access a set of secured resources in an application. Users or Groups are mapped to Roles.
Java web applications can be secured by either declarative security or programmatic security. Declarative security can be setup either in the deployment descriptor or via annotations.
Security constraints define access privileges to a collection of web resources using their URL mappings.
If an application uses servlets, the security constraint can be set by using the annotations @HttpConstraint and @HttpMethodConstraint within the annotation @ServletSecurity.
If an application does not use servlets, the security constraint can be set using <security-constraint> element in the deployment descriptor.
<security-constraint> contains the following sub-elements. <web-resource-collection>, <auth-constraint>, and <user-data-constraint>.
<security-constraint>
<web-resource-collection>
<web-resource-name>employee</web-resource-name>
<url-pattern>/secure/employee/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MANAGER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Http Basic authentication
Form-based authentication
Digest authentication
Authentication mechanism for a web application can be defined using the element
The
The
FORM
/login.html
/error.html
The
You can use the
manager
Sometimes declarative security alone is not sufficient to specify the complete security requirements of an application. Programmatic security is used in addition to declarative security in such cases.
HttpServletRequest interface provides following methods that can be used to authenticate users for a web application.
authenticate
login
logout