2020 New Java Interview Questions - Java Web (2)

#1. If the client prohibits cookies, can the session still be used?

Cookie and Session are generally considered to be two independent things. Session uses a solution that maintains state on the server side, while Cookie uses a solution that maintains state on the client side. But why can't I get the Session if I disable cookies? Because the Session uses the Session ID to determine the server Session corresponding to the current conversation, and the Session ID is passed through Cookie, disabling Cookie is equivalent to losing the Session ID, and thus the Session is lost.

Assuming that the user uses Session when turning off Cookie, the implementation methods are as follows:

• Set "session.use_trans_sid = 1 in the php.ini configuration file ", or turn on the "--enable-trans-sid" option when compiling to let PHP automatically pass the Session ID across pages.

• Manually pass the value through the URL and pass the Session ID through the hidden form.

• Save the Session ID in a file, database, etc., and call it manually during the cross-page process.

2. What is the difference between spring mvc and struts?

1. Differences in interception mechanisms

Struts2 is a class-level interception. Each request will create an Action. When integrating with Spring, the ActionBean injection scope of Struts2 is prototype mode. prototype, and then inject the request data into the property through setter and getter. In Struts2, an Action corresponds to a request and response context. When receiving parameters, it can be received through attributes. This shows that attribute parameters are shared by multiple methods. A method of Action in Struts2 can correspond to a URL, but its class attributes are shared by all methods. This means that it is impossible to use annotations or other methods to identify its method, and it can only be designed as multiple instances.

SpringMVC is a method-level interception. One method corresponds to a Request context, so the method is basically independent and has exclusive access to request and response data. Each method corresponds to a URL at the same time. The parameter passing is directly injected into the method, which is unique to the method. The processing results are returned to the framework through ModeMap. During Spring integration, SpringMVC's Controller Bean defaults to singleton mode, so by default, only one Controller will be created for all requests. There should be no shared properties, so it is thread-safe. If you want to change the default scope, Need to add @Scope annotation modification.

Struts2 has its own interceptor mechanism. SpringMVC uses an independent Aop method, which causes the amount of configuration files of Struts2 to be larger than that of SpringMVC.

(Related tutorials recommended: java entry program)

2. Differences in underlying frameworks

Struts2 is implemented using Filter (StrutsPrepareAndExecuteFilter), SpringMVC (DispatcherServlet ) is implemented using Servlet. Filter is initialized after the container is started; it crashes after the service is stopped, later than Servlet. Servlet is initialized when called, before Filter is called, and is destroyed after the service stops.

3. In terms of performance

Struts2 is a class-level interception. Each request corresponds to a new Action of the instance, and all attribute value injection needs to be loaded. SpringMVC implements zero configuration. Since SpringMVC is based on Method interception involves loading a singleton mode bean for injection. Therefore, SpringMVC development efficiency and performance are higher than Struts2.

4. In terms of configuration,

spring MVC and Spring are seamless. The management and security of this project are also higher than Struts2.

3. How to avoid sql injection?

• PreparedStatement (simple and effective method)

• Use regular expressions to filter incoming parameters

• String filtering

• Call this function in JSP to check whether it contains illegal characters

• JSP page judgment code

4. What is an XSS attack and how to avoid it?

XSS attack is also called CSS, and the full name is Cross Site Script (cross-site scripting attack). The principle is that the attacker enters malicious HTML code into a website with XSS vulnerabilities. When the user browses the website , this HTML code will be automatically executed to achieve the purpose of attack.

XSS attacks are similar to SQL injection attacks. In SQL injection attacks, SQL statements are used as user input to query/modify/delete data. In XSS attacks, malicious scripts are inserted to target users. Browser control to obtain some user information. XSS is a common vulnerability in Web programs. XSS is a passive attack method used on the client side.

The general idea of ​​​​XSS prevention is: filter the input (and URL parameters) and encode the output.

(Video tutorial recommendation: java video tutorial)

5. What is a CSRF attack and how to avoid it?

CSRF (Cross-site request forgery) is also called one-click attack or session riding. The full Chinese name is cross-site request forgery. Generally speaking, an attacker forges a request from the user's browser and sends it to a website that the user has authenticated to visit, so that the target website receives and mistakenly thinks it is the user's real operation and executes the command. Commonly used to steal accounts, transfer money, send false messages, etc. The attacker exploits the website's request verification vulnerability to implement such an attack. The website can confirm that the request originates from the user's browser, but cannot verify whether the request originates from the user's true intention.

How to avoid:

1. Verify the HTTP Referer field

The Referer field in the HTTP header records the source address of the HTTP request. Under normal circumstances, the request to access a security-restricted page comes from the same website, and if a hacker wants to implement a CSRF attack on it, he can generally only construct the request on his own website. Therefore, CSRF attacks can be defended by verifying the Referer value.

2. Use the verification code

Add the verification code to the key operation page. After receiving the request, the background can judge the verification code to prevent CSRF. But this method is not very user friendly.

3. Add token to the request address and verify

The reason why the CSRF attack is successful is that the hacker can completely forge the user's request, and all user verification information in the request exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the verification information.

To resist CSRF, the key is to put information in the request that hackers cannot forge, and this information does not exist in cookies. You can add a randomly generated token as a parameter to the HTTP request, and create an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be a CSRF attack and the request will be rejected. .

This method is safer than checking the Referer. The token can be generated after the user logs in and placed in the session. Then the token can be taken out of the session at each request and matched with the token in the request. Compare, but the difficulty of this method is how to add the token to the request in the form of parameters.

For GET requests, the token will be appended to the request address, so that the URL becomes

http://url?csrftoken=tokenvalue

. For POST requests,

<input type="hidden" name="csrftoken" value="tokenvalue"/>

## must be added at the end of the form. #In this way, the token is added to the request in the form of a parameter.

4. Customize attributes in the HTTP header and verify

This method also uses tokens for verification. The difference from the previous method is that the token is not used here. Instead of placing it in the HTTP request as a parameter, put it in a custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it.

This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer. Go in.

If you want to know more related interview questions, you can visit the

java interview questions column.

The above is the detailed content of 2020 New Java Interview Questions - Java Web (2). For more information, please follow other related articles on the PHP Chinese website!