Wednesday, June 12, 2013

Java security interview questions for senior developer

Lets talk about some interview questions that could be asked during senior Java EE developer who claims to have invoked REST or SOAP secured web services.

Q: Is the security configuration different for Apache HttpClient from
      Yes; it does. For both types, an instance of SSLContext needs to be initialized with respective     keystore/truststore. HttpsURLConnection could be configured by invoking setSSLSocketFactory(); apache http client by registering https schema with a corresponding implementation of org.apache.http.conn.ssl.SSLSocketFactory.

Q: Does SSLContext.getInstance() return new instance every time the method is invoked?
     Yes; SSLContext.getInstance() returns new instance each time the method is invoked. It will not have a keystore and truststore hooked to it. init() would need to be called to initialize it. null passed in for the keystore/truststore will use the default implementation for the respective store.

Q: What security configuration does HttpsURLConnection use if a security configuration is not specified?
     HttpsURLConnection uses SSLSocketFactory default implementation retrieved by SSLContext.getDefault().

Q: Why do we create protocols like myhttps, abchttps etc.?
The standard approach while using apache http client 3.1 is to define a SSLContext with keystore/truststore and register a new protocol such as abchttps with the newly defined SSLContext. Then your web service URL will be prefixed with abchttps instead of https.

Q: This seems to be clumsy; is there a better alternative?
A better approach would be to upgrade to apache httpcomponents 4.x which is a successor to apache httpclient 3.x (reached EOL). In 4.x, you could define a SSLContext and register https protocol with SSLContext. The https protocol (aka scheme) will be registered to your httpclient's connection manager. The key point to note here is that you could define multiple https protocol and register it in different connection managers to have different keystore/truststore for different web service calls.

No comments:

Post a Comment