Java basic interview questions and answers (five)

Others 2019-10-04 02:28:44 views: null

Java Web

64. jsp and servlet What is the difference?

  1. jsp after compiled into a Servlet. (JSP is the essence of the Servlet, JVM java class can identify, not recognize the JSP code, Web container JSP code into the JVM java class can be identified)

  2. jsp better at performance in page display, servlet better at logic control.

  3. There are no built-in objects Servlet, Jsp in the built-in objects are necessary, HttpServletResponse HttpServlet objects, and objects obtained by HttpServletRequest object.

  4. Jsp is a simplified Servlet using Jsp only need to complete the programmer needs to output the contents of the client, how Jsp the Java script embedded in a class, done by Jsp container. The Servlet is a complete Java classes, Service method of this class is used to generate a response to the client.

 

Which have built-in object 65. jsp? What role are?

JSP has nine built-in objects:

  • request: the client's request package, containing the parameters from the GET or POST request;

  • response: Response package end server to client;

  • pageContext: other objects can be acquired by the object;

  • session: the user session object encapsulates;

  • application: object encapsulates server operating environment;

  • out: output target stream output from the server response;

  • config: configuration objects Web applications;

  • page: JSP page itself (equivalent to this Java program);

  • exception: package page throwable exception.


66. talk about four kinds of scopes jsp?

JSP in four scopes include page, request, session and application, specifically:

  • page on behalf of a page of related objects and attributes.

  • request a request on behalf of related objects and attributes with the Web client issued. A request may span multiple pages, to a plurality of Web components; this scope may be placed in the required temporary data displayed page.

  • session on behalf of a user and set up a session with the server-related objects and attributes. Associated with a user data should be placed in the user's own session.

  • application on behalf of the entire Web application-related objects and attributes, it is essentially across the entire Web applications, including multiple pages, requests, and a global session scope.


67. session and cookie What is the difference?

  • Due to the HTTP protocol is stateless protocol, so the server need to record the user's status, you need to use some mechanism to identify specific user, this mechanism is the Session. Typical scenarios such as shopping cart, when you click on a single button under Since stateless HTTP protocol, it does not know which user actions, so the server to be created for a specific user specific Session, with is used to identify the user, and track users, so you know there are a few shopping cart book. The Session is stored on the server side, there is a unique identifier. In the process server to save a lot of Session, memory, databases, files are. When the cluster should also consider the transfer of Session, in large sites, usually have a special Session server cluster, used to store user session, this time Session information is in memory, the use of some services such as caching like Memcached to put the Session.

  • Think about how to identify specific customer service side? This time Cookie on debut. Every time the HTTP request, the client will send the corresponding information to the server Cookie. When in fact the majority of applications are used to implement Session Tracking Cookie, Session is first created, the server will tell the client in the HTTP protocol, we need to record a Session ID Cookie in which, after each request this send session ID to the server, I know who you are. Someone asked, if the client browser disabled Cookie how to do? Usually this case, URL rewriting techniques will be called using the session tracking, i.e. each HTTP interaction, URL will be a rear sid = parameters such as, the server identifies the user accordingly xxxxx attached on.

  • Cookie fact, can also be used in some user-friendly scene, imagine you had a particular landing a website, next time do not want to enter the account login again, how do? This information can be written inside Cookie, when visiting the site, Web page script can read this message, you automatically help you to fill in a user name, a user can look easy. This is also the origin of the name Cookie, a little sweetness to the user. So, to sum up: Session is stored in a data structure server, used to track a user's status, this data can be stored in the cluster, database, file; Cookie is a mechanism to save the client user information to record Some information about the user, but also a way to achieve the Session.

 

68. talk about the working principle of the session?

In fact, a session is similar to a file hash table exists on the server. Inside there the information we need, when we need can be taken out from the inside. It is similar to a large size map, which is stored in the user's key SessionID, when a user sends a request to the server will take this sessionid. It can be removed from time value corresponding to the.

 

69. If the client ban cookie enables session still work?

Cookie and Session, generally considered to be two separate things, Session is used to maintain the state of the server program, and Cookie uses a client program on hold. But why can not disable the Cookie Session get it? Because Session is Session ID to determine the current dialogue corresponding server Session, Cookie and Session ID to pass through the disabling Cookie equivalent lost Session ID, the Session will not.

Cookie is assumed a case where the user closes the use of Session, which Ways are the following:

  1. Set php.ini configuration file "session.use_trans_sid = 1", or Open to open the "--enable-trans-sid" compile-time option, so that PHP automatically spread passing Session ID.

  2. URL manually by traditional values, the hidden form transfer Session ID.

  3. Save Session ID in the form of documents, databases, etc., manually invoke the spread process.

 

What is the difference 70. spring mvc and struts are?

  • Different mechanisms of interception

Struts2 is a class-level interceptors, each request will create a Action, Struts2 and Spring integration of ActionBean when injected scope is prototype model prototype, and then injected into the property by setter, getter now request data. Struts2, one Action corresponding to a request, response context, upon receiving the parameters, attributes can be received, which is to be described attribute parameter shared by multiple methods. A method Struts2 in Action may correspond to a url, and it was all methods share class attribute, it will not be able to identify their respective method with annotations or otherwise, can only be designed to be more cases.

SpringMVC levels intercept method, a method corresponding to a Context Request, the method is substantially independent of the direct, exclusive request, response data. How can a method of simultaneously and each corresponding to url, transmission parameters are injected directly into the process, the method is unique. Return the processing result to the frame by a ModeMap. When Spring integration, SpringMVC the Controller Bean default Singleton Singleton, so the default for all requests, only to create a Controller, there should be no sharing of property, it is thread-safe, if you want to change the default scope, @Scope need to add annotations to modify.

Struts2 interceptor Interceptor has its own mechanisms, SpringMVC which is a separate Aop way, this has led to the configuration file is larger than the amount of Struts2 SpringMVC.

  • Different underlying framework

Struts2 using Filter (StrutsPrepareAndExecuteFilter) implemented, SpringMVC (DispatcherServlet) Servlet implementation is used. Filter is initialization after the vessel started; service is stopped after the crash, later than Servlet. In the Servlet is initialized when you call, the first call to Filter, the service stops destroyed.

  • Performance

Struts2 intercept the class level, corresponding to each request a new instance of the Action, need to load all attribute values ​​injection, to achieve a zero SpringMVC configuration, since the method is based SpringMVC interception with a single loading mode embodiment bean injection. So, SpringMVC development efficiency and performance than Struts2.

  • Configuration

spring MVC and Spring is seamless. Too high from the management and security of this project than Struts2.

 

71. How to avoid sql injection?

  1. PreparedStatement (simple and effective method)

  2. Use regular expressions to filter incoming parameters

  3. String Filters

  4. JSP call this function checks whether the packet function of an illegal character

  5. JSP page judgment code

 

72. What is XSS attack, how to avoid?

XSS attacks also known as CSS, stands for Cross Site Script (cross-site scripting attacks), the principle is malicious attackers entered the site XSS vulnerability in the HTML code when a user visits the site, this HTML code will be executed automatically, so as to achieve the purpose of the attack. XSS attacks are similar to SQL injection attacks, SQL injection attacks to SQL statements as a user input to achieve the query modify / delete data purposes /, while in xss attack by inserting malicious script to achieve control of the user's browser, and get Some information about the user. XSS is a common Web application vulnerabilities, XSS is a passive type and is used to attack the client.

The general idea is to prevent XSS: input (parameters and URL) filtering, to output encoded.

 

73. What is CSRF attack, how to avoid?

CSRF (Cross-site request forgery) is also known as one-click attack or session riding, Chinese name is called cross-site request forgery . In general, the attacker can forge a user's browser requests, they have been authenticated access to the user accessing a Web site sends out the target site to receive and mistaken for the real operation of the user away execute the command. Used to steal account, transfer, send false messages. An attacker who exploited the vulnerability verification request to the site of the implementation of such attacks, the site can request confirmation from the user's browser, but can not verify whether the request originated from operating behavior of the true wishes of the user.

How to avoid:

1. Verify field HTTP Referer

Referer HTTP header field recorded in the source address of the HTTP request. Under normal circumstances, limited access to a secure page request comes from the same site, but if you want to implement a hacker CSRF
he generally only in his own construction site request attacks. Therefore, it can verify the value Referer defense CSRF attacks.

2. Use code

Page plus key operation codes, the background after receiving the request may be determined by CSRF defense codes. However, this approach is not very user friendly.

3. Add the address in the request token and authentication

CSRF attacks have been able to succeed because hackers can forge entirely the user's request, the request for all user authentication information is present in a cookie, so hackers can directly use the cookie in the user's own without knowing the authentication information to pass security validation. To resist CSRF, wherein the key information into the hackers can not be forged in the request, and the information is not present in the cookie. May be added token randomly generated as a parameter in the HTTP request, and the establishment of an interceptor server side to authenticate the token, if the request is not token or token not correct, it is considered likely CSRF attacks reject the request . This method is safer than some of the Referer check, token can be generated and placed into the session after the user has logged out of the session and then the token at each request, to compare with the request token, but difficulties method is how to join request token as a parameter.
For after GET request, token will be attached to the request address, this URL becomes http: // url csrftoken = tokenvalue? .
For POST request, the last to add in the form of <input type = "hidden" name = "csrftoken" value = "tokenvalue" />, so that the join requests put token as a parameter.

4. In the HTTP header and validate custom properties

This method is also used for authentication and token, and a method for the difference is that here is not placed in the token as a parameter in the HTTP request, but put it in the custom HTTP header attribute's. XMLHttpRequest by this class, the class can be a one-time request to all the HTTP header plus csrftoken property, and into which the token value. This solves the ways to join in the request token inconvenience the same time, by XMLHttpRequest requested address will not be recorded into the address bar of the browser, do not worry token leak to other sites go through Referer.

Guess you like

Origin www.cnblogs.com/donleo123/p/11621044.html
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com