Below I will be sharing some interview questions I came across.
But the answers of these may be correct or may not be. You have to check that once.
Plus the kind of answer will also depends on what your interviewer wants to hear or knows about.
So you are on your own there, if the interviewer doesn't know about your answer & s/he can reject you even though you are right.
Will really be helpful if you can also share your thoughts on this.
But the answers of these may be correct or may not be. You have to check that once.
Plus the kind of answer will also depends on what your interviewer wants to hear or knows about.
So you are on your own there, if the interviewer doesn't know about your answer & s/he can reject you even though you are right.
Will really be helpful if you can also share your thoughts on this.
Interview 1 : This question has been asked in a few interviews with Deutsche Bank, Xoriant,
Sapient like. How you will make your web service secure or how you include
security in your web service?
Answer : Like I say, it depends on what your interviews knows the answer of this or want to
listen. But I think such questions are quiet abstract & the answers of these can
depend on many factors like what kind of security ?.... At what stage you want to
apply?....What kind of resources need to be secured here?....etc.
So further details you have to find by yourself, here I will give just
ideas/suggestions around this.
A) You want to apply simple authentication/authorization around your web service.
For this you can use 'Authorization' header & have one interceptor class to read
those values & will allow further service methods access accordingly or can
return '401' error code for 'Unauthorized'.
B) If your services will majorly be used via browsers then you can use cookies to
store such access information in the browsers & let the browsers send these
cookies back for the same domain.
Such cookie concept depends on how you have configured your cookie & what
protocol you are using.
So having this can help you but you need to test your services around cookies if
it is following all your security & performance parameters.
C) If your project is around Spring framework or Spring is being used then
analysing the features being provided by Spring Security module will be worthy.
D) If you still looking for options then can try for SAML, OAuth or LDAP etc, if any
of these fitting your requirements.
E) If you are looking to protect the data being transmitted from your service then
security requirements take a different turn here. Now you have to think about
various encryption APIs or Algorithms to incorporate in your web service
architecture.
F) If your web services are built around microservices architecture then you may
have to think about all the above options & other options which are not
mentioned. Then only you can decide on which option fits well to your
architecture.
For implementation of authorization concept for each individual service or
operation you can have either properties file for role based access or if you want to
have user based access dynamically then create database & interceptor class
around your service/operation and check if such service/operation is
forbidden for this user. As this access check/verification you are doing at the micro
level, so it is surely going to be bit slower & you can improve it by caching such
access information & pass it across the services/operations during the same
session.
As I said earlier, there is no single direct answer for the issues around security. Millions/billions are spent around security only, so you can't say directly how you will incorporate the security in your application/system. One needs to analyse many factors related to its usage, expectations, requirements, environment, context, tools being used for this, lot of testing etc. then one can come up with the better approach.
Sapient like. How you will make your web service secure or how you include
security in your web service?
Answer : Like I say, it depends on what your interviews knows the answer of this or want to
listen. But I think such questions are quiet abstract & the answers of these can
depend on many factors like what kind of security ?.... At what stage you want to
apply?....What kind of resources need to be secured here?....etc.
So further details you have to find by yourself, here I will give just
ideas/suggestions around this.
A) You want to apply simple authentication/authorization around your web service.
For this you can use 'Authorization' header & have one interceptor class to read
those values & will allow further service methods access accordingly or can
return '401' error code for 'Unauthorized'.
B) If your services will majorly be used via browsers then you can use cookies to
store such access information in the browsers & let the browsers send these
cookies back for the same domain.
Such cookie concept depends on how you have configured your cookie & what
protocol you are using.
So having this can help you but you need to test your services around cookies if
it is following all your security & performance parameters.
C) If your project is around Spring framework or Spring is being used then
analysing the features being provided by Spring Security module will be worthy.
D) If you still looking for options then can try for SAML, OAuth or LDAP etc, if any
of these fitting your requirements.
E) If you are looking to protect the data being transmitted from your service then
security requirements take a different turn here. Now you have to think about
various encryption APIs or Algorithms to incorporate in your web service
architecture.
F) If your web services are built around microservices architecture then you may
have to think about all the above options & other options which are not
mentioned. Then only you can decide on which option fits well to your
architecture.
For implementation of authorization concept for each individual service or
operation you can have either properties file for role based access or if you want to
have user based access dynamically then create database & interceptor class
around your service/operation and check if such service/operation is
forbidden for this user. As this access check/verification you are doing at the micro
level, so it is surely going to be bit slower & you can improve it by caching such
access information & pass it across the services/operations during the same
session.
As I said earlier, there is no single direct answer for the issues around security. Millions/billions are spent around security only, so you can't say directly how you will incorporate the security in your application/system. One needs to analyse many factors related to its usage, expectations, requirements, environment, context, tools being used for this, lot of testing etc. then one can come up with the better approach.
