Security Vocabulary
Authentication proves who the user or client is. Authorization decides what that identity is allowed to access. Confidentiality protects data from unauthorized readers. Integrity protects data from unauthorized modification.
Java Security APIs
| API | Purpose |
|---|---|
| JAAS | Authentication and authorization services |
| JCE | Cryptography, encryption, keys |
| JSSE | SSL/TLS secure socket communication |
| JGSS | Secure token-based message exchange |
| SASL | Authentication protocol framework |
Web Security Constraints
Security constraints define which web resources are protected and which roles can access them. In servlet-based apps this can be configured through deployment descriptors or annotations such as @ServletSecurity.
Interview Framing
Security is layered: validate input, authenticate requests, authorize actions, encrypt sensitive traffic, store secrets safely, log important events, and avoid leaking implementation details in errors.
Interview Scenario Practice
Scenario 1: Logged In But Cannot Access
Scenario: A user is logged in but cannot open a manager-only report.
Strong answer: Authentication has succeeded, but authorization has failed. The server should check roles or permissions and return 403 Forbidden if access is not allowed.
Why it works: Authentication answers who the user is; authorization answers what that user can do.
Common mistake: Treating login as enough permission for every resource.
Scenario 2: Sensitive Data Over HTTP
Scenario: A login API sends credentials over plain HTTP.
Strong answer: Use HTTPS/TLS through JSSE or platform TLS support so credentials and tokens are encrypted in transit.
Why it works: TLS protects confidentiality and integrity between client and server.
Common mistake: Hashing a password on the client and assuming plain HTTP is then safe.
Scenario 3: Secrets in Source Code
Scenario: An API key is committed into a repository.
Strong answer: Rotate the leaked key, remove it from code, store secrets in a secure configuration system, and audit usage.
Why it works: Once a secret is committed, assume it may be exposed.
Common mistake: Only deleting the line in the latest commit without rotating the key.