Skip to content
QuizMaker logoQuizMaker
Activity
Java Backend Interview Prep

No lessons available

CONTENTS

7. Java Security and Web Application Security

Review authentication, authorization, web security constraints, and Java security APIs.

Java Backend Interview Prep
2. Backend Architecture & Data
May 29, 2026
19
A

Security Vocabulary

Authentication proves who the user or client is. Authorization decides what that identity is allowed to access. Confidentiality protects data from unauthorized readers. Integrity protects data from unauthorized modification.

Java Security APIs

APIPurpose
JAASAuthentication and authorization services
JCECryptography, encryption, keys
JSSESSL/TLS secure socket communication
JGSSSecure token-based message exchange
SASLAuthentication protocol framework

Web Security Constraints

Security constraints define which web resources are protected and which roles can access them. In servlet-based apps this can be configured through deployment descriptors or annotations such as @ServletSecurity.

Interview Framing

Security is layered: validate input, authenticate requests, authorize actions, encrypt sensitive traffic, store secrets safely, log important events, and avoid leaking implementation details in errors.

Interview Scenario Practice

Scenario 1: Logged In But Cannot Access

Scenario: A user is logged in but cannot open a manager-only report.

Strong answer: Authentication has succeeded, but authorization has failed. The server should check roles or permissions and return 403 Forbidden if access is not allowed.

Why it works: Authentication answers who the user is; authorization answers what that user can do.

Common mistake: Treating login as enough permission for every resource.

Scenario 2: Sensitive Data Over HTTP

Scenario: A login API sends credentials over plain HTTP.

Strong answer: Use HTTPS/TLS through JSSE or platform TLS support so credentials and tokens are encrypted in transit.

Why it works: TLS protects confidentiality and integrity between client and server.

Common mistake: Hashing a password on the client and assuming plain HTTP is then safe.

Scenario 3: Secrets in Source Code

Scenario: An API key is committed into a repository.

Strong answer: Rotate the leaked key, remove it from code, store secrets in a secure configuration system, and audit usage.

Why it works: Once a secret is committed, assume it may be exposed.

Common mistake: Only deleting the line in the latest commit without rotating the key.

Share this article

Share on TwitterShare on LinkedInShare on FacebookShare on WhatsAppShare on Email

Test your knowledge

Take a quick quiz based on this chapter.

mediumJava Backend Interview Prep
Quiz: Java Security
8 questions8 min

0 comments

Please login to comment.
No comments yet.
Lesson 2 of 5 in 2. Backend Architecture & Data
Previous in 2. Backend Architecture & Data
6. Advanced Java Concurrency for Interviews
Next in 2. Backend Architecture & Data
8. Microservices, Containers, and Deployment Tools
Back to Java Backend Interview Prep
Back to moduleCategories