Sample Questions and Answers
What is the benefit of using Java’s javax.crypto.Mac class?
A) To compute a Message Authentication Code (MAC) ensuring data integrity and authenticity
B) To encrypt data using asymmetric algorithms
C) To generate random passwords
D) To manage HTTP sessions
Answer: A) To compute a Message Authentication Code (MAC) ensuring data integrity and authenticity
Explanation: MACs detect changes in data and confirm origin authenticity.
In Java, what does the term “sandboxing” refer to?
A) Running code with restricted privileges to prevent harmful operations
B) Encrypting all application data
C) Storing session data securely
D) Creating virtual machines
Answer: A) Running code with restricted privileges to prevent harmful operations
Explanation: Sandboxing limits code capabilities to protect the host environment.
Which Java API class is used to validate digital certificates?
A) CertPathValidator
B) KeyPairGenerator
C) MessageDigest
D) SSLContext
Answer: A) CertPathValidator
Explanation: Validates certificate chains to ensure authenticity.
What is a common way to securely compare passwords in Java?
A) Use equals() directly on passwords
B) Use a time-constant comparison function to prevent timing attacks
C) Print passwords to logs for debugging
D) Store passwords as plain text
Answer: B) Use a time-constant comparison function to prevent timing attacks
Explanation: Time-constant comparison prevents attackers from inferring password info via timing.
What does the Java KeyPairGenerator class generate?
A) A pair of public and private keys for asymmetric cryptography
B) Symmetric encryption keys
C) Password hashes
D) SSL certificates
Answer: A) A pair of public and private keys for asymmetric cryptography
Explanation: Used to create key pairs for encryption, signing, etc.
Which of the following helps prevent Cross-Site Scripting (XSS) in Java web applications?
A) Using HTML encoding/escaping on user inputs before outputting to web pages
B) Disabling all JavaScript
C) Allowing all user input without validation
D) Using GET requests for sensitive data
Answer: A) Using HTML encoding/escaping on user inputs before outputting to web pages
Explanation: Prevents malicious scripts from executing in the browser.
In Java security, what does “principle of least privilege” mean?
A) Users and programs should only have permissions necessary to perform their tasks
B) Everyone should have full access
C) Passwords should be complex
D) Encrypt all data
Answer: A) Users and programs should only have permissions necessary to perform their tasks
Explanation: Minimizes risk from accidental or malicious misuse.
How can Java applications mitigate man-in-the-middle attacks during SSL/TLS connections?
A) Properly validating server certificates against trusted Certificate Authorities (CAs)
B) Disabling SSL/TLS verification
C) Using plain HTTP
D) Ignoring certificate warnings
Answer: A) Properly validating server certificates against trusted Certificate Authorities (CAs)
Explanation: Prevents attackers from impersonating the server.
What does the java.security.cert.Certificate class represent?
A) A digital certificate binding a public key to an identity
B) A cryptographic key pair
C) A hashed password
D) An encryption algorithm
Answer: A) A digital certificate binding a public key to an identity
Explanation: Used in public key infrastructure (PKI).
Why should Java developers avoid using deprecated cryptographic algorithms?
A) They are easier to implement
B) They may be insecure and vulnerable to attacks
C) They run faster
D) They require less memory
Answer: B) They may be insecure and vulnerable to attacks
Explanation: Deprecated algorithms like MD5 and SHA-1 have known weaknesses.
Which Java class can be used to restrict access to methods and fields at runtime?
A) SecurityManager
B) ClassLoader
C) Thread
D) Reflection
Answer: A) SecurityManager
Explanation: It enforces security policies during code execution.
What is the role of the javax.security.auth.login.LoginContext class?
A) To authenticate a user using configured login modules
B) To encrypt files
C) To handle HTTP requests
D) To generate random keys
Answer: A) To authenticate a user using configured login modules
Explanation: It manages the login process in Java Authentication and Authorization Service (JAAS).
Which approach is most secure for storing passwords in a Java application?
A) Storing passwords in plain text
B) Hashing passwords with a strong algorithm and using a unique salt for each
C) Encrypting passwords with a reversible algorithm and storing keys locally
D) Storing passwords in cookies
Answer: B) Hashing passwords with a strong algorithm and using a unique salt for each
Explanation: Hashing with salt prevents password theft even if hashes leak.
What is a major risk of improper input validation in Java applications?
A) Increased CPU usage
B) Injection attacks, such as SQL or LDAP injection
C) Faster program execution
D) Reduced memory consumption
Answer: B) Injection attacks, such as SQL or LDAP injection
Explanation: Attackers exploit unchecked input to manipulate commands or queries.
How can Java web applications enforce HTTPS to enhance security?
A) Redirect all HTTP requests to HTTPS at the server or application level
B) Use plain HTTP only
C) Use FTP for data transmission
D) Disable SSL/TLS
Answer: A) Redirect all HTTP requests to HTTPS at the server or application level
Explanation: Ensures all communication is encrypted and secure.
What is the function of the Java AccessController class?
A) To perform privileged actions with controlled access to permissions
B) To generate cryptographic keys
C) To manage user sessions
D) To encrypt data
Answer: A) To perform privileged actions with controlled access to permissions
Explanation: Provides fine-grained control over permissions during sensitive operations.
What is the best practice when handling sensitive data in Java logging?
A) Never log sensitive data such as passwords or personal information
B) Log all data including sensitive information
C) Store logs on public servers
D) Use plain text logs only
Answer: A) Never log sensitive data such as passwords or personal information
Explanation: Logging sensitive info risks exposure if logs are accessed by attackers.
What is the benefit of using Java’s javax.net.ssl.SSLServerSocket?
A) To create a secure server socket supporting SSL/TLS encrypted communication
B) To generate random numbers
C) To handle file uploads
D) To log user activity
Answer: A) To create a secure server socket supporting SSL/TLS encrypted communication
Explanation: Ensures data exchanged between client and server is encrypted.
Why is it important to validate and sanitize all user inputs in Java applications?
A) To improve performance
B) To prevent security vulnerabilities such as injection and XSS
C) To reduce memory usage
D) To simplify code
Answer: B) To prevent security vulnerabilities such as injection and XSS
Explanation: Sanitizing inputs stops attackers from injecting malicious code.
What is the primary purpose of the SecureRandom class in Java?
A) To generate cryptographically strong random numbers
B) To store keys securely
C) To encrypt data using symmetric algorithms
D) To validate user credentials
Answer: A) To generate cryptographically strong random numbers
Explanation: SecureRandom is used to generate unpredictable values for cryptographic operations.
Which Java package provides support for cryptographic operations like encryption, key generation, and message digests?
A) crypto
B) java.io
C) java.net
D) javax.swing
Answer: A) javax.crypto
Explanation: This package includes classes for cryptographic operations such as Cipher and KeyGenerator.
What does the Java Cipher class do?
A) Provides encryption and decryption functionalities
B) Generates random passwords
C) Handles file I/O operations
D) Manages database connections
Answer: A) Provides encryption and decryption functionalities
Explanation: Cipher is used to perform encryption and decryption using various algorithms.
Why should developers avoid storing cryptographic keys in source code?
A) Because it is against coding standards
B) It exposes sensitive keys to unauthorized access if source code is leaked
C) It slows down the application
D) It uses too much memory
Answer: B) It exposes sensitive keys to unauthorized access if source code is leaked
Explanation: Hardcoded keys risk exposure and compromise security.
Which technique can Java developers use to protect against SQL injection?
A) Use of prepared statements (parameterized queries)
B) Concatenate SQL queries with user input directly
C) Disable input validation
D) Store passwords in plain text
Answer: A) Use of prepared statements (parameterized queries)
Explanation: Prepared statements separate SQL logic from user input, preventing injection.
What role does the java.security.MessageDigest class serve in Java security?
A) It computes hash functions like SHA-256 for data integrity verification
B) It manages SSL connections
C) It generates random numbers
D) It encrypts files
Answer: A) It computes hash functions like SHA-256 for data integrity verification
Explanation: Hashes ensure data has not been altered.
How can Java applications protect session data from being hijacked?
A) Use secure cookies with HTTPOnly and Secure flags
B) Use plain cookies without flags
C) Avoid session management altogether
D) Store session IDs in URLs
Answer: A) Use secure cookies with HTTPOnly and Secure flags
Explanation: These flags prevent client-side scripts from accessing cookies and ensure cookies are sent only over HTTPS.
What does the term “code signing” mean in the Java security context?
A) Digitally signing Java code to verify its authenticity and integrity
B) Encrypting Java code
C) Obfuscating Java code
D) Compressing Java bytecode
Answer: A) Digitally signing Java code to verify its authenticity and integrity
Explanation: Signed code assures users that it originates from a trusted source and hasn’t been tampered with.
What is the function of the Java AccessControlException class?
A) It indicates a security violation when code attempts to access restricted resources
B) It handles input/output errors
C) It manages user sessions
D) It generates cryptographic keys
Answer: A) It indicates a security violation when code attempts to access restricted resources
Explanation: Thrown when security checks fail.
How can Java developers securely transmit sensitive data over networks?
A) Using SSL/TLS encrypted connections
B) Using plain HTTP
C) Sending data as URL parameters
D) Storing data in cookies
Answer: A) Using SSL/TLS encrypted connections
Explanation: Encryption protects data from eavesdropping and tampering.
What is a common vulnerability caused by improper exception handling in Java applications?
A) Information leakage revealing internal system details to attackers
B) Improved application performance
C) Reduced memory usage
D) Enhanced user experience
Answer: A) Information leakage revealing internal system details to attackers
Explanation: Detailed error messages can provide attackers clues about system structure.
What is the purpose of the Java Principal interface?
A) Represents an entity (such as a user or a group) that can be authenticated
B) Manages encryption keys
C) Handles database transactions
D) Creates network sockets
Answer: A) Represents an entity (such as a user or a group) that can be authenticated
Explanation: Used in security frameworks for identity management.
How does the Java SecurityManager contribute to application security?
A) It enforces a security policy restricting what operations code can perform
B) It manages database connections
C) It logs application errors
D) It encrypts user data
Answer: A) It enforces a security policy restricting what operations code can perform
Explanation: Protects system resources by preventing unauthorized access.
What is a secure way to handle passwords in Java before storing them?
A) Hash the password with a strong hash function and apply salt
B) Store passwords in plain text
C) Encrypt passwords with a fixed key and store
D) Store passwords as reversible encrypted strings
Answer: A) Hash the password with a strong hash function and apply salt
Explanation: Hashing and salting prevent easy password recovery.
Which Java class can be used to generate a digital signature?
A) security.Signature
B) javax.crypto.Cipher
C) java.security.MessageDigest
D) java.util.Random
Answer: A) java.security.Signature
Explanation: Used to sign data with private keys and verify signatures with public keys.
What is the benefit of using Java’s JAAS (Java Authentication and Authorization Service)?
A) Provides a pluggable framework for authentication and authorization in Java applications
B) Generates cryptographic keys
C) Logs user activities
D) Handles file uploads
Answer: A) Provides a pluggable framework for authentication and authorization in Java applications
Explanation: JAAS allows flexible and configurable security.
How should sensitive data be handled in Java application logs?
A) Mask or avoid logging sensitive information
B) Log all data for auditing without restrictions
C) Store logs on public servers without encryption
D) Include passwords in logs
Answer: A) Mask or avoid logging sensitive information
Explanation: Prevents exposure of sensitive data if logs are accessed.
What Java class is used to implement symmetric encryption?
A) crypto.Cipher with symmetric keys like AES
B) java.security.KeyPairGenerator
C) java.security.Signature
D) javax.net.ssl.SSLSocket
Answer: A) javax.crypto.Cipher with symmetric keys like AES
Explanation: Cipher can be used with AES, DES, or other symmetric algorithms.
What is the function of the javax.crypto.KeyGenerator class?
A) Generates symmetric cryptographic keys
B) Signs data with private keys
C) Generates random numbers
D) Stores certificates
Answer: A) Generates symmetric cryptographic keys
Explanation: Used to generate keys for AES, DES, etc.
What is the role of SSLContext in Java?
A) It defines the environment for SSL/TLS operations, including key managers and trust managers
B) It manages HTTP sessions
C) It generates digital certificates
D) It encrypts files
Answer: A) It defines the environment for SSL/TLS operations, including key managers and trust managers
Explanation: It sets up SSL parameters for secure communication.
Which Java class is used for Base64 encoding and decoding?
A) util.Base64
B) javax.crypto.Cipher
C) java.security.MessageDigest
D) java.lang.String
Answer: A) java.util.Base64
Explanation: Provides encoding and decoding of Base64, commonly used for transmitting binary data.
How does the Java javax.crypto.spec.IvParameterSpec class help in cryptography?
A) It specifies an initialization vector (IV) for block cipher modes that require it
B) It generates cryptographic keys
C) It validates digital certificates
D) It manages user sessions
Answer: A) It specifies an initialization vector (IV) for block cipher modes that require it
Explanation: IVs ensure that repeated encryption of the same data yields different ciphertexts.
Which technique is effective to prevent Cross-Site Request Forgery (CSRF) attacks in Java web apps?
A) Use CSRF tokens in forms and validate them server-side
B) Disable cookies
C) Use GET requests for all sensitive operations
D) Allow all origins in CORS
Answer: A) Use CSRF tokens in forms and validate them server-side
Explanation: CSRF tokens prevent unauthorized commands from authenticated users.
What Java API can be used to implement certificate pinning?
A) net.ssl.X509TrustManager with custom validation logic
B) java.security.KeyPairGenerator
C) java.security.MessageDigest
D) javax.crypto.Cipher
Answer: A) javax.net.ssl.X509TrustManager with custom validation logic
Explanation: Custom trust managers can enforce certificate pinning.
Reviews
There are no reviews yet.