Java Web common interview questions

#What is the difference between jsp and servlet? (Recommended Learning: Java Frequently Meeting Test Questions )

JSP becomes service. Recognize JSP code, and the Web container compiles the JSP code into a java class that can be recognized by the JVM)

jsp is better at page display, and servlet is better at logic control.

There are no built-in objects in Servlet. The built-in objects in Jsp must be obtained through the HttpServletRequest object, HttpServletResponse object and HttpServlet object.

Jsp is a simplification of Servlet. Using Jsp only needs to complete the content that the programmer needs to output to the client. How to embed the Java script in Jsp into a class is completed by the Jsp container. Servlet is a complete Java class, and the Service method of this class is used to generate a response to the client.

What are the built-in objects of jsp? What are the functions?

JSP has 9 built-in objects:

request: encapsulates the client's request, which contains parameters from the GET or POST request;

response: encapsulates the server's response to the client;

pageContext: other objects can be obtained through this object;

session: the object that encapsulates the user session;

application: encapsulates the server The object of the running environment;

out: the output stream object of the output server response;

config: the configuration object of the Web application;

page: the JSP page itself (equivalent to Java this in the program);

exception: an object that encapsulates the exception thrown by the page.

Tell me about the 4 scopes of jsp?

The four scopes in JSP include page, request, session and application. Specifically:

page represents the objects related to a page and Attributes.

request represents the objects and attributes related to a request issued by the Web client. A request may span multiple pages and involve multiple web components; temporary data that needs to be displayed on the page can be placed in this scope.

session represents the objects and attributes related to a session established by a user and the server. Data related to a user should be placed in the user's own session.

application represents objects and properties related to the entire Web application. It is essentially a global scope that spans the entire Web application, including multiple pages, requests, and sessions.

What is the difference between session and cookie?

Since the HTTP protocol is a stateless protocol, when the server needs to record the user's status, it needs to use some mechanism to identify the specific user. This mechanism is Session. Typical scenarios such as shopping Car, when you click the order button, since the HTTP protocol is stateless, it does not know which user operates it, so the server needs to create a specific Session for the specific user to identify the user and track the user. , so that you know how many books are in the shopping cart.

This Session is saved on the server side and has a unique identifier. There are many ways to save Session on the server side, including memory, database, and files.

Session transfer must also be considered when clustering. In large websites, there is usually a dedicated Session server cluster to save user sessions. At this time, Session information is placed in memory and some caches are used. Services such as Memcached are used to store Sessions.

Think about how the server identifies a specific customer?

At this time Cookie appears. Each time an HTTP request is made, the client will send corresponding cookie information to the server. In fact, most applications use cookies to implement session tracking. When a session is created for the first time, the server will tell the client in the HTTP protocol that a session ID needs to be recorded in the cookie. This will be recorded for each subsequent request. The session ID is sent to the server and I know who you are.

Someone asked, what should I do if the client's browser disables Cookies?

Generally in this case, a technology called URL rewriting is used for session tracking, that is, for each HTTP interaction, a parameter such as sid=xxxxx will be appended to the URL. , the server uses this to identify the user.

Cookies can actually be used in some user-friendly scenarios. Imagine that you have logged into a website once, and you don’t want to enter your account again when you log in next time. What should you do?

This information can be written into the cookie. When visiting the website, the script of the website page can read this information and automatically fill in the user name for you, which can facilitate the user. This is also the origin of the cookie name, a little sweetness for users.

So, to summarize:

Session is a data structure saved on the server side to track the user's status. This data can be saved in the cluster, database, in the file;

Cookie is a mechanism for the client to save user information. It is used to record some user information and is also a way to implement Session.

Tell me how session works?

In fact, session is a file similar to a hash table that exists on the server. The information we need is stored in it, and we can take it out when we need to use it.

It is similar to a large map. The key inside stores the user's sessionid. The user will bring this sessionid when sending a request to the server. At this time, the corresponding value can be extracted from it.

If the client disables cookies, can the session still be used?

Cookie and Session are generally considered to be two independent things. Session uses a solution that maintains state on the server side, while Cookie uses a solution that maintains state on the client side.

But why can’t I get Session if I disable Cookie?

Because Session uses the Session ID to determine the server Session corresponding to the current conversation, and the Session ID is passed through Cookie, disabling Cookie is equivalent to losing the Session ID, and you will not get the Session. .

Assuming that the user uses Session when turning off Cookie, the implementation methods are as follows:

Set "session.use_trans_sid = 1 in the php.ini configuration file ", or turn on the "--enable-trans-sid" option when compiling to let PHP automatically pass the Session ID across pages.

Manually pass the value through the URL and pass the Session ID through the hidden form.

Save the Session ID in a file, database, etc., and call it manually during the cross-page process.

What is the difference between spring mvc and struts?

Differences in interception mechanisms

Struts2 is a class-level interception. Each request will create an Action. When integrating with Spring, Struts2 ActionBean injection scope is prototype mode, and then the request data is injected into the property through setter and getter.

In Struts2, an Action corresponds to a request and response context. When receiving parameters, it can be received through attributes. This shows that attribute parameters are shared by multiple methods.

A method of Action in Struts2 can correspond to a url, but its class attributes are shared by all methods. This means that it is impossible to use annotations or other methods to identify its method, and it can only be designed as multiple instances.

SpringMVC is a method-level interception. One method corresponds to a Request context, so the method is basically independent and has exclusive access to request and response data. Each method corresponds to a URL at the same time. The parameter passing is directly injected into the method, which is unique to the method. The processing results are returned to the framework through ModeMap.

During Spring integration, SpringMVC's Controller Bean defaults to singleton mode, so by default, only one Controller will be created for all requests. There should be no shared attributes, so it is thread-safe. If you want To change the default scope, you need to add @Scope annotation modification.

Struts2 has its own interceptor mechanism. SpringMVC uses an independent Aop method, which causes the amount of configuration files of Struts2 to be larger than that of SpringMVC.

Differences in the underlying framework

Struts2 is implemented by Filter (StrutsPrepareAndExecuteFilter), and SpringMVC (DispatcherServlet) is implemented by Servlet. Filter is initialized after the container is started; it crashes after the service is stopped, later than Servlet. Servlet is initialized when called, before Filter is called, and is destroyed after the service stops.

Performance aspect

Struts2 is a class-level interception. Each request corresponds to a new Action of the instance, and all attribute value injection needs to be loaded. SpringMVC implements zero configuration. , due to SpringMVC's method-based interception, singleton mode bean injection is loaded once. Therefore, SpringMVC development efficiency and performance are higher than Struts2.

Configuration aspect

spring MVC and Spring are seamless. The management and security of this project are also higher than Struts2.

How to avoid sql injection?

PreparedStatement (simple and effective method)

Use regular expressions to filter incoming parameters

String filtering

Called in JSP This function checks whether illegal characters are included

JSP page judgment code

What is an XSS attack and how to avoid it?

XSS attack is also called CSS, and the full name is Cross Site Script (cross-site scripting attack). The principle is that the attacker enters malicious HTML code into a website with XSS vulnerabilities. When the user browses the website , this HTML code will be automatically executed to achieve the purpose of attack.

XSS attacks are similar to SQL injection attacks. In SQL injection attacks, SQL statements are used as user input to query/modify/delete data. In XSS attacks, malicious scripts are inserted to target users. Browser control to obtain some user information. XSS is a common vulnerability in Web programs. XSS is a passive attack method used on the client side.

The general idea of ​​​​XSS prevention is: filter the input (and URL parameters) and encode the output.

What is a CSRF attack and how to avoid it?

CSRF (Cross-site request forgery) is also called one-click attack or session riding. The full Chinese name is cross-site request forgery. Generally speaking, an attacker forges a request from the user's browser and sends it to a website that the user has authenticated to visit, so that the target website receives and mistakenly thinks it is the user's real operation and executes the command.

Commonly used to steal accounts, transfer money, send false messages, etc. The attacker exploits the website's request verification vulnerability to implement such an attack. The website can confirm that the request originates from the user's browser, but cannot verify whether the request originates from the user's true intention.

How to avoid:

1. Verify the HTTP Referer field

The Referer field in the HTTP header records the HTTP request source address. Under normal circumstances, the request to access a secure restricted page comes from the same website, and if a hacker wants to implement a CSRF

attack, he can generally only construct the request on his own website. Therefore, CSRF attacks can be defended by verifying the Referer value.

2. Use the verification code

Add the verification code to the key operation page. After receiving the request, the background can judge the verification code to prevent CSRF. But this method is not very user friendly.

3. Add token to the request address and verify

The reason why the CSRF attack is successful is that the hacker can completely forge the user's request, and all the User verification information exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the verification information. The key to resisting CSRF is to put information in the request that hackers cannot forge, and that information does not exist in cookies.

You can add a randomly generated token as a parameter in the HTTP request, and set up an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be The request is rejected due to CSRF attack.

This method is safer than checking the Referer. The token can be generated after the user logs in and placed in the session. Then the token can be taken out of the session at each request and matched with the token in the request. Compare, but the difficulty of this method is how to add the token to the request in the form of parameters.

For GET requests, the token will be appended to the request address, so that the URL becomes http://url?csrftoken=tokenvalue.

For POST requests, add at the end of the form, so that the token is in the form of a parameter Requested to join.

4. Customize attributes in the HTTP header and verify

This method also uses token and verifies it. Different from the previous method, there is no Instead of putting the token as a parameter in the HTTP request, put it in a custom attribute in the HTTP header.

Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it.

This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer. Go in.

The above is the detailed content of Java Web common interview questions. For more information, please follow other related articles on the PHP Chinese website!