[Dry goods sharing] Alibytes and Tencent interview assault, the knowledge to learn is here! 2020 latest Java common interview questions, basic questions (with detailed answers)

2020 latest Java collection of common interview questions + detailed answers (5)

Recently, many people around me are asking me questions about interviews with big factories. Therefore, I am also combining the interview questions of myself and my friends to sort out common and basic Java interview questions. The first few collections have been posted on the homepage.

Some of the answers are summarized by myself, and some are collected on the Internet. Don't panic after watching these interviews! If you have more experience, you can share it in the comments. If you have any mistakes, you are welcome to point it out. Please let me know, thank you~

Java Web

51. What is the difference between jsp and servlet?

 

1. After compiling, jsp becomes Servlet. (The essence of JSP is Servlet. JVM can only recognize java classes, but not JSP code. The web container compiles JSP code into java classes that JVM can recognize)

2. Jsp is better at displaying pages, and servlet is better at logical control.

3. There are no built-in objects in Servlet. The built-in objects in Jsp must be obtained through HttpServletRequest object, HttpServletResponse object and HttpServlet object.

4. Jsp is a simplification of Servlet. Using Jsp only needs to complete the content that programmers need to output to the client. How to embed the Java script in Jsp into a class is completed by the Jsp container. The Servlet is a complete Java class, and the Service method of this class is used to generate a response to the client.

 

52. What are the built-in objects of jsp? What are the roles?

 

JSP has 9 built-in objects:

 

• request: Encapsulate the client's request, which contains the parameters from the GET or POST request;

• response: encapsulate the server's response to the client;

• pageContext: other objects can be obtained through this object;

• session: the object that encapsulates the user session;

• application: the object that encapsulates the operating environment of the server;

• out: The output stream object that the output server responds to;

• config: The configuration object of the Web application;

• page: JSP page itself (equivalent to this in Java program);

• exception: The object that encapsulates the page that throws the exception.

53. Tell me about the 4 scopes of jsp?

 

The four scopes in JSP include page, request, session and application, specifically:

 

• page represents objects and attributes related to a page.

• request represents objects and attributes related to a request issued by a Web client. A request may span multiple pages and involve multiple Web components; temporary data that needs to be displayed on the page can be placed in this scope.

• Session represents objects and attributes related to a session established by a certain user with the server. Data related to a user should be placed in the user's own session.

• Application represents objects and attributes related to the entire Web application. It is essentially a global scope that spans the entire Web application, including multiple pages, requests, and sessions.

54. What is the difference between session and cookie?

 

• Since the HTTP protocol is a stateless protocol, when the server needs to record the user's status, it needs to use a mechanism to identify the specific user. This mechanism is Session. A typical scenario such as a shopping cart, when you click the order button Since the HTTP protocol is stateless, it is not known which user is operating it. Therefore, the server has to create a specific session for a specific user, which is used to identify the user and track the user, so as to know how many are in the shopping cart Book. This Session is stored on the server and has a unique identifier. There are many ways to save Session on the server, including memory, database, and files. When clustering, you should also consider Session transfer. In large websites, there will usually be dedicated Session server clusters to save user sessions. At this time, Session information is stored in memory, and some caching services such as Memcached are used. Come and put Session.

• Think about how the server recognizes specific customers? At this time Cookie is on the scene. Each time an HTTP request is made, the client will send the corresponding cookie information to the server. In fact, most applications use cookies to implement Session tracking. When a Session is created for the first time, the server will tell the client in the HTTP protocol that a Session ID needs to be recorded in the Cookie. The session ID is sent to the server and I know who you are. Someone asked, what if the client’s browser disables cookies? Generally, in this case, a technology called URL rewriting is used for session tracking, that is, every HTTP interaction, a parameter such as sid=xxxxx will be appended to the URL, and the server will identify the user accordingly.

• Cookies can actually be used in some user-friendly scenarios. Suppose you have logged in to a website once, and you don’t want to enter your account again when you log in next time. What should you do? This information can be written in the Cookie. When visiting the website, the script of the website page can read this information, and it will automatically fill in the user name for you, which can be convenient for users. This is also the origin of the cookie name, giving users a bit of sweetness. So, to summarize: Session is a data structure saved on the server to track the status of the user. This data can be saved in clusters, databases, and files; Cookie is a mechanism for the client to save user information for recording Some user information is also a way to realize Session.

 

55. Tell me about the working principle of session?

 

In fact, a session is a file similar to a hash table stored on the server. It contains the information we need, which can be taken out when we need it. Similar to a large map, the key inside stores the user's sessionid, and the user will bring this sessionid when sending a request to the server. At this time, the corresponding value can be extracted from it.

 

56. Can the session be used if the client prohibits cookies?

 

Cookie and Session are generally considered to be two independent things. Session uses a solution to maintain state on the server side, while Cookie uses a solution to maintain state on the client side. But why can't I get Session if I disable cookies? Because Session uses Session ID to determine the server Session corresponding to the current session, and Session ID is passed through Cookie, disabling Cookie is equivalent to losing Session ID, so Session will not be obtained.

 

Assuming that the user uses Session when cookies are turned off, there are several ways to implement it:

 

1. Set "session.use_trans_sid = 1" in the php.ini configuration file, or turn on the "--enable-trans-sid" option when compiling to let PHP automatically pass the Session ID across pages.

2. Manually pass the value through the URL and pass the Session ID through the hidden form.

3. Save the Session ID in the form of a file, database, etc., and call it manually during the cross-page process.

 

57. What is the difference between spring mvc and struts?

 

• Difference in interception mechanism

 

Struts2 is a class-level interception. Each request creates an Action. When integrating with Spring, the scope of Struts2's ActionBean injection is the prototype model, and then request data is injected into the attribute through setter and getter. In Struts2, an Action corresponds to a request and response context. When receiving parameters, it can be received through attributes, which means that attribute parameters are shared by multiple methods. A method of Action in Struts2 can correspond to a url, but its class attribute is shared by all methods, so it is impossible to use annotations or other ways to identify the method it belongs to. It can only be designed as multiple cases.

　　

SpringMVC is a method-level interception. A method corresponds to a Request context, so the method is basically independent and has exclusive request and response data. And each method corresponds to a URL at the same time, and the parameter transfer is directly injected into the method, which is unique to the method. The processing result is returned to the framework through ModeMap. During Spring integration, SpringMVC's Controller Bean defaults to Singleton, so by default, only one Controller will be created for all requests. There should be no shared attributes, so it is thread-safe. If you want to change the default scope, Need to add @Scope annotation modification.

　　

Struts2 has its own interception Interceptor mechanism, and SpringMVC uses an independent Aop method, which leads to Struts2's configuration file volume is still larger than SpringMVC.

 

• The difference in the underlying framework

　　

Struts2 is implemented using Filter (StrutsPrepareAndExecuteFilter), and SpringMVC (DispatcherServlet) is implemented using Servlet. Filter is initialized after the container starts; it crashes after the service stops, later than Servlet. Servlet is initialized when it is called, before Filter is called, and destroyed after the service stops.

 

• Performance aspect

 

Struts2 is a class-level interception. Each time a request corresponds to a new Action instance, all attribute value injections need to be loaded. SpringMVC implements zero configuration. Because SpringMVC is based on method interception, there is a singleton bean injection loaded once. Therefore, SpringMVC development efficiency and performance are higher than Struts2.

 

• Configuration aspect

　　

Spring MVC and Spring are seamless. The management and safety of this project is also higher than Struts2.

                                  how about it? Did you all answer it yourself?

58. How to avoid sql injection?

 

1. PreparedStatement (a simple and effective method)

2. Use regular expressions to filter incoming parameters

3. String filtering

4. Call this function in JSP to check whether illegal characters are included

5. JSP page judgment code

 

59. What is XSS attack and how to avoid it?

XSS attack is also known as CSS, and its full name is Cross Site Script (Cross Site Scripting). Its principle is that an attacker enters malicious HTML code into a website with XSS vulnerabilities. When the user browses the website, this HTML code will be executed automatically. So as to achieve the purpose of the attack. XSS attacks are similar to SQL injection attacks. In SQL injection attacks, SQL statements are used as user input to achieve the purpose of querying/modifying/deleting data. In xss attacks, malicious scripts are inserted to control the user's browser and obtain Some information about the user. XSS is a common vulnerability in Web programs. XSS is a passive attack method used on the client side.

 

The general idea of ​​XSS prevention is to filter the input (and URL parameters) and encode the output.

 

60. What is a CSRF attack and how to avoid it?

 

CSRF (Cross-site request forgery) is also called one-click attack or session riding. The full Chinese name is cross-site request forgery . Generally speaking, the attacker fakes the request of the user's browser and sends it to a website that the user has authenticated to visit, so that the target website receives it and mistakes it for the user's real operation to execute the command. It is often used to steal account numbers, transfer funds, send false messages, etc. Attackers use the website’s request verification vulnerabilities to achieve such an attack. The website can confirm that the request originated from the user’s browser, but cannot verify whether the request originated from the user’s real intention.

 

How to avoid:

 

1. Verify the HTTP Referer field

 

The Referer field in the HTTP header records the source address of the HTTP request. Under normal circumstances, the request to access a secure restricted page comes from the same website, and if a hacker wants to implement a CSRF
attack on it, he generally can only construct the request on his own website. Therefore, CSRF attacks can be defended by verifying the Referer value.

 

2. Use verification code

 

A verification code is added to the key operation page, and CSRF can be prevented by judging the verification code after receiving the request in the background. But this method is not user friendly.

 

3. Add the token to the request address and verify

 

The CSRF attack is successful because the hacker can completely forge the user's request. All user authentication information in the request is in the cookie, so the hacker can directly use the user's own cookie without knowing the authentication information. To pass the security verification. To resist CSRF, the key is to put information that hackers cannot forge in the request, and that information does not exist in the cookie. You can add a randomly generated token in the form of a parameter in the HTTP request, and establish an interceptor on the server to verify the token. If there is no token in the request or the content of the token is incorrect, the request may be rejected because of a CSRF attack. . This method is safer than checking Referer. The token can be generated and placed in the session after the user logs in, and then the token is taken out of the session every time a request is made, and compared with the token in the request, but this The difficulty of this method is how to add the token to the request as a parameter.
For GET requests, the token will be appended to the request address, so the URL becomes http://url?csrftoken=tokenvalue.
For POST requests, add <input type="hidden" name="csrftoken" value="tokenvalue"/> at the end of the form, so that the token is added to the request as a parameter.

 

4. Customize the attributes in the HTTP header and verify

 

This method also uses tokens and performs verification. The difference from the previous method is that instead of putting the token in the HTTP request as a parameter, it puts it in a custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the HTTP header attribute csrftoken to all requests of this type at one time, and put the token value in it. This solves the inconvenience of adding the token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through Referer.

At last

The content of the interview questions is over here, I hope it will be helpful to everyone.

Finally, I want to say something to you. I have worked for so many years and have interviewed some people for others. Whether it is from the perspective of the interviewer or the leader, in addition to interview skills and experience, great technology and project experience are also their trump cards and confidence. Core technology sharing of first-tier manufacturers

 It took me a long time to sort out some learning materials. What I posted above is the tip of the iceberg in the materials. I hope I can help you! Click to learn together cipher: csdn

                         

  I will share more pure dry goods articles in the follow-up, and hope to really help you. Your support is my biggest motivation!