There questions are taken from SCEA Study Guide
1) You are the architect for a social networking application that
allows users to leave comments for other users. Recently, a spate
of hacker attacks have disrupted the site, reducing revenue from
site partners and advertising. Of the attack types listed next,
which two can be addressed by ensuring that all special characters/
word sequences are removed from all free text inputs on the
web site?
A. Buffer overflow
B. Cross-site scripting
C. SQL injection
D. Permission errors
As per my understanding the correct answers would be "B" & "C" whereas SCEA book says C and D
2)
Security restrictions in a use-case require that the behavior of an
EJB business method vary according to the role of the user. How
should this be achieved? (Select the best answer.)
A. The deployment descriptor is written using the roles determined
by the programmer.
B. The programmer determines a role reference and uses it in
the code. This is mapped to a role in the deployment
descriptor.
C. The business method determines the role of the user using
JNDI and configuration information in the deployment
descriptor.
D. The business method determines the role of the user using
JAAS and configuration information in the deployment
descriptor.
Correct Answer is 'D' as per Book but why not 'B' is correct because I think it can be done using getCallerPrincipal() and isCallerInRole()
What do you guys think?