Last Updated on March 20, 2022 by Admin 2

GSSP-Java : GIAC Secure Software Programmer-Java : Part 03

  1. Mark works as a Programmer for InfoTech Inc. He creates an error page named

    PageDoesNotExist.jsp. He wants to ensure that the PageDoesNotExist.jsp page will always be displayed if the server cannot find the requested page or if the request is for a page that does not exist on the server. Which of the following error-page code declarations will be used?

    • <error-page>
      
      <error-code>406</error-code>
      
      <location> PageDoesNotExist.jsp</location>
      
      </error-page>
    • <error-page>
      
      <error-code>405</error-code>
      
      <location> PageDoesNotExist.jsp</location>
      
      </error-page>
    • <error-page>
      <error-code>404</error-code>
      <location> PageDoesNotExist.jsp</location>
      </error-page>
    • <error-page>
      
      <error-code>503</error-code>
      
      <location> PageDoesNotExist.jsp</location>
      
      </error-page>
  2. Which of the following are the advantages of JAR files over TAR files?

    Each correct answer represents a complete solution. Choose all that apply.

    • It cannot be digitally signed.
    • It provides package sealing.
    • It can be compressed.
    • It provides package versioning.
  3. Which of the following statements about a JAR file command are true?

    Each correct answer represents a complete solution. Choose all that apply.

    • A JAR file can be created without even using the f command.
    • The 0 command is used for no compression of a JAR file.
    • The t command of a JAR file is used to update the contents of a file.
    • A JAR file can be extracted using the e command.
  4. Roger works as a Software Developer for Tech Mart Inc. He creates an application using Enterprise JavaBeans. In the bean class, he writes a code snippet as follows.

    Boolean b = ctx.isCallerInRole(“Administrator”);

    The Application Assembler named Bob declares the following entries within the <entity> element of the deployment descriptor.

    1. <security-role-ref>

    2. The HR-Manager will have permission to access all the methods.

    3. <role-name>HR-Manager</role-name>

    4.

    5. </security-role-ref>

    Bob wants to ensure that the HR-Manager declared in the deployment descriptor has all the privileges of an administrator. Which of the following elements should Bob declare in line 4 while deploying the bean?

    • <security-role>
    • <role-link>
    • <method-permission>
    • <run-as>
  5. Mark works as a Programmer for InfoTech Inc. He develops the following code snippet.

    package Mark.tutorial.javaee.ejb;

    import java.util.logging.Logger;

    import javax.annotation.Resource;

    import javax.ejb.Stateless;

    import javax.ejb.Timeout;

    import javax.ejb.Timer;

    import javax.ejb.TimerService;

    @Stateless

    public class TimerBean implements TimerSessionBean {

    @Resource

    TimerService timerService;

    private static final Logger logger = Logger.getLogger

    (“com.sun.tutorial.javaee.ejb.timersession.TimerSessionBean”);

    public void createTimer(long intervalDuration) {

    Timer timer = timerService.createTimer(intervalDuration, “New timer created”);

    }

    @Timeout

    public void timeout(Timer timer) {

    logger.info(“Timer Timeout”);

    }

    }

    which of the following statements are true about the code?

    Each correct answer represents a complete solution. Choose all that apply.

    • The class Logger cannot be used with a stateless session bean.
    • The EJB container will invoke the timeout method of TimerSessionBean when the timer expires.
    • The class is using the createTimer method incorrectly because it creates a new timer.
    • TimerBean is a stateless session bean that shows how to set a timer.
  6. Which of the following declarations are the valid declaration for the <security-constraint> element?

    Each correct answer represents a complete solution. Choose all that apply.

    • <security-constraint>
      <web-resource-collection>
      <web-resource-name>AccountServlet</web-resource-name>
      <url-pattern>/acme/Account</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Accountant</role-name>
      </auth-constraint>
      </security-constraint>
    • <security-constraint>
      <web-resource-collection>
      <web-resource-name>AssistantServlet</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Assistant</role-name>
      </auth-constraint>
      </security-constraint>
    • <security-constraint>
      <web-resource-collection>
      <web-resource-name>AccountServlet</web-resource-name>
      <url-pattern>/acme/Account</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Accountant</role-name>
      </auth-constraint>
      </security-constraint>
    • <security-constraint>
      <auth-constraint>
      <role-name>Assistant</role-name>
      </auth-constraint>
      </security-constraint>
    • <security-constraint>
      <web-resource-collection>
      <web-resource-name>AssistantServlet</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Assistant</role-name>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      </auth-constraint>
      </security-constraint>
  7. Mark works as a Programmer for InfoTech Inc. He develops the following deployment descriptor code for specifying the security roles for a Web application.

    <security-role>
    <role-name>Manager</role-name>
    </security-role>
    <security-role>
    <role-name>Admin</role-name>
    </security-role>
    <security-role>
    <role-name>Member</role-name>
    </security-role>
    </web-app>

    Which of the following are the valid <auth-constraint> element that will allow the users to access resources constrained by the security role declared given above?

    Each correct answer represents a complete solution. Choose all that apply.

    • <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
    • <auth-constraint/>
    • <auth-constraint>
      <role-name>Admin</role-name>
      <role-name>Manager</role-name>
      </auth-constraint>
    • <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
    • <auth-constraint>
      <role-name>Admin</role-name>
      </auth-constraint>
    • <auth-constraint>
      <role-name>Manager</role-name>
      </auth-constraint>
  8. You work as a programmer for PassGuide.Inc. You want to create a servlet filter that stores all request headers to a database for all requests to the Web application’s home page “/work.jsp”. Which of the following HttpServletRequest methods allows you to retrieve all of the request headers?

    • java.util.Enumeration getRequestHeaders()
    • java.util.Enumeration getHeaderNames()
    • String[] getRequestHeaders()
    • java.util.Iterator getRequestHeaders()
    • java.util.Iterator getHeaderNames()
    • String[] getHeaderNames()
  9. Which of the following is a Permission class whose permissions have no actions, and allows suppressing the standard Java programming language access checks?

    • java.awt.RuntimePermission
    • java.security.SecurityPermission
    • java.lang.reflect.ReflectPermission
    • java.lang.AllPermission
  10. Roger works as a Software Developer for Tech Mart Inc. He creates an application using Enterprise JavaBeans. In the bean class, he writes a code snippet as follows.

    Boolean b = ctx.isCallerInRole(“Administrator”);

    The application assembler named Bob declares the following entries within the <entity> element of the deployment descriptor.

    1. <security-role-ref>

    2. The HR-Manager will have permission to access all the methods.

    3. <role-name>HR-Manager</role-name>

    4.

    5. </security-role-ref>

    Bob wants to ensure that HR-Manager declared in the deployment descriptor should have all the privileges of an administrator. Which of the following elements should Bob declare in line 4 while deploying the bean?

    • <security-role>
    • <role-link>
    • <run-as>
    • <method-intf>
  11. Which of the following methods is defined by ObjectOutputStream?

    • char readChar()
    • int readInt()
    • void write(byte buffer[])
    • int available()
  12. You work as a Web Deployer for UcTech Inc. You write the <security constraint> element for an application in which you write the <auth-constraint> sub-element as follows.

    <auth-constraint>

    <role-name>*</role-name>

    </auth-constraint>

    Who will have access to the application?

    • No user
    • It depends on the application.
    • Only the administrator
    • All users
  13. You work as a Software Developer for UcNet Inc. You write the following code using Java.

    class StringTest

    {

        public static void main(String args[])

         {

               String s = “Hi”;

               s.concat(“There”);

               System.out.println(s);

        }

    }

    What will happen when you try to compile and execute the code?

    • It will not compile.
    • It will compile and execute successfully and will display Hi as the output.
    • It will compile but will throw an exception at runtime.
    • It will compile and execute successfully and will display HiThere as the output.
  14. Mark works as a Programmer for InfoTech Inc. He develops a RefreshFailed.jsp page for a servlet. He wants that the RefreshFailed.jsp page will be displayed when the javax.security.auth.RefreshFailedException is thrown. Which of the following error-page deployment descriptor element declarations will be used?

    • <error-page>
      
      <exception-code> javax.security.auth.RefreshFailedException </exception-code>
      
      <location>RefreshFailed.jsp</location>
      
      </error-page>
    • <error-page>
      
      <exception-type> javax.security.auth.RefreshFailedException </exception-type>
      
      <location>RefreshFailed.jsp</location>
      
      <error-code>408</error-code>
      
      </error-page>
    • <error-page>
      <exception-type> javax.security.auth.RefreshFailedException </exception-type>
      <location>RefreshFailed.jsp</location>
      </error-page>
    • <error-page>
      <exception-type> javax.security.auth.RefreshFailedException </exception-type>
      <target>RefreshFailed.jsp</target>
      </error-page>
  15. Which of the following statements about the isUserInRole() method are true?

    Each correct answer represents a complete solution. Choose all that apply.

    • It accepts a boolean argument.
    • It is mapped in the deployment descriptor using the <security-role-ref> element.
    • It belongs to the HttpServletResponse interface.
    • The <role-link> sub-element of the <security-role-ref> element must match the <role-name> sub-element of the <security-role> element.
  16. Which of the following statements are true about Vector and ArrayList?

    Each correct answer represents a complete solution. Choose all that apply.

    • ArrayList is synchronized and Vector is not synchronized.
    • Each vector tries to optimize storage management by maintaining a capacity and a capacityIncrement.
    • If multiple threads are trying to access an ArrayList instance concurrently, and at least one of the threads modifies the list structurally, it must be synchronized externally.
    • Vector is an implementation of the List interface and implements all optional list operations, and permits all elements, excluding null.
  17. Which of the following conditions must be satisfied before the HTTP client authentication mechanism is used?

    Each correct answer represents a complete solution. Choose all that apply.

    • The client must have a valid public key certificate.
    • The SSL support must be configured for the server.
    • It must create the error and login form pages.
    • The Base64 encoding must be used for sending user names and passwords over the Internet.
  18. Which of the following statements about ServletContext attributes is true?

    • They are not thread-safe but can be made thread-safe by synchronizing the service() method.
    • They are not thread-safe but can be made thread-safe by applying a lock on the context.
    • They are thread-safe.
    • They are not thread-safe but can be made thread-safe by applying a lock on the servlet.
  19. You work as a Software Developer for UcTech Inc. You want the deployment descriptor to contain entries for the authentication type and the security realm. In order to accomplish this, you have to use the sub-elements of the <login-config> element. Which of the following will you use?

    Each correct answer represents a complete solution. Choose all that apply.

    • <auth-name>
    • <realm-type>
    • <auth-type>
    • <form-login-config>
    • <realm-name>
    • <login-form-type>
    • <auth-method>
  20. Which of the following statements about data integrity of a container are true?

    Each correct answer represents a complete solution. Choose two.

    • It ensures that an eavesdropper cannot read an HTTP message being sent from a client to a container.
    • Data integrity ensures that information has not been modified by a third party while it is in transit.
    • It ensures that a hacker cannot alter the contents of an HTTP message while it is in transit from a container to a client.
    • Data integrity ensures that information is made available to users who are authorized to access it.