Java provides a robust security platform that makes it easy for Java developers to develop secure Java applications. But Java security is a difficult topic to prepare or master for Java programming interviews. Java security is a huge and complex topic, with security features available at different levels and layers of the platform. Often times, when your are preparing for a Java interview, it is even difficult to figure out where to begin.
This post make it a little easier by structuring the Java security interview questions into JVM specific security questions, Java API specific security questions, and common security plug in interview questions.
Describe the Java security architecture.
Security is provided by the Java platform through a number of mechanisms.
Secure environment - Java programs run in a secure and restricted environment. The level of access that a Java program can have to important system resources can be restricted based on the trustfulness of the program
Java language features - Java programming language provides a number of in-built features such as automatic memory management, garbage collection array and string range checking etc. which enhances the security of a Java application.
JVM features JVM is designed to provide secure environment for Java applications to be run in - JBytecode verifiers ensure that only legitimate and valid Java bytecodes are executed by the JVM. Java class loaders ensure that only legitimate and secure Java class files, which do not interfere with the running of other Java programs are loaded into the JVM. Access to important resources is provided through the JVM, and is pre-checked by SecurityManager class to ensure that access or restrictions of a resource to a specific resource.
Plugins - Additional security features can be plugged in into the platform and used by Java programs.
How did Java's security model evolve over time?
Security has been an integral part of Java platform since its introduction.
Java 1.0.x - Java started with a security model, commonly known as the sandbox security model. In this model all Java programs run locally are considered trusted, and can access local resources. Java applets, which are downloaded over the network, are considered untrusted and cannot access resources beyond the sandbox. Access to resources is mediated through the SecurityManager class
Java 1.1.x - Java 1.1.x introduced the concept of 'signed applets', which allowed downloading and running Java applets as trusted code after verifying the applet signer's information.
Java 2 (J2SE) - Java 2 platform provided significant changes and enhancements to security.
- J2SE introduced the concept of 'protection domain' and 'security policy' and 'Permission'. A protection domain is configured by grouping classes by associating them with a 'security policy' which contains a set of 'permissions'. The security policy determines if a code can be run on a protection domain or not. SecurityManager enforces the required security policy.
What are the key security features provided by Java programming language?
Java programming language has several inherent features that contribute to the security of the Java application
- Java is designed to be a type-safe language and is easy to use. Java type safety is enforced by the java compiler and is checked by the runtime environment.This results in an overall secure environment for Java programs to run in.
- Java language does automatic range checking on arrays which reduces the burden on developers, results in less programming errors and leads to a more safer and robust code.
- Automatic memory management - Java has automatic memory management and the memory is freed automatically by garbage collection. Java has transparent storage allocation, which is not defined in the Java or JVM specs. This makes it difficult for anyone to perform memory hacks.
*** See complete answer in the Java Interview Guide.
What is the function of permissions class in Java programming language?
Java API provides the java.security.Permission class which represents access to system resources such as files, sockets etc. and is a core part of Java security platform.
A number of specific permission classes, such as FilePermission, AWTPermission and SocketPermission are sub-classes of java.security.Permission class.
What are protection domains in Java programming language?
Protection domains are groups of classes having the same permissions. Classes are grouped into protective domains, and...
*** See complete answer in the Java Interview Guide.
What is SecurityManager in Java programming language?
The Java programming API provides the java.lang.SecurityManager class which mediates access to all resources. The SecurityManager class has a number of check() methods which determines if a class can access a specific resource. For example ...
*** See complete answer in the Java Interview Guide.
What are the key classes provided in Java API that deals with security?
Key classes related to security are provided by the Java programming API in java.security.* package...
*** See complete answer in the Java Interview Guide.
Java - Interview Questions
