Most Recent Arcitura Education S90.20 Exam Dumps

Prepare for the Arcitura Education SOA Security Lab exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Arcitura Education S90.20 exam and achieve success.

The questions for S90.20 were last updated on Apr 21, 2026.

Viewing page 1 out of 6 pages.
Viewing questions 1-5 out of 30 questions

Get All 30 Questions & Answers

Question No. 1

Service Consumer A sends a request to Service A (1). Service A replies with an acknowledgement message (2) and then processes the request and sends a request message to Service B (3). This message contains confidential financial data. Service B sends three different request messages together with its security credentials to Services C .D .and E (4, 5, 6). Upon successful authentication, Services C .D .and E store the data from the message in separate databases (7.8, 9). Services B .C .D, and E belong to Service Inventory A, which further belongs to Organization B .Service Consumer A and Service A belong to Organization A .Organization B decides to create a new service inventory (Service Inventory B) for services that handle confidential data. Access to these services is restricted by allocating Service Inventory B its own private network. Access to this private network is further restricted by a dedicated firewall. Services C, D and E are moved into Service Inventory B, and as a result. Service B can no longer directly access these services. How can this architecture be changed to allow Service B to access Services C, D and E in a manner that does not jeopardize the security of Service Inventory B while also having a minimal impact on the service composition's performance?

AThe Service Perimeter Guard pattern is applied together with the Brokered Authentication pattern. A new perimeter service is created to intercept all request messages sent to services inside the private network (inside Service Inventory B),before they reach the firewall. The perimeter service also acts as the authentication broker that authenticates request messages sent to Services C, D, and E by evaluating the accompanying security credentials and issuing a security token to be used by Service B when accessing Services C, D, and E .

BThe Service Perimeter Guard pattern is applied together with the Message Screening pattern. A new perimeter service iscreated specifically for Service Inventory B .This service filters all messages before they reach the firewall and further evaluates the IP address of the messages to verify the identity of the message originators. If the originator is successfully authenticated, then the perimeter guard checks the request message for potentially malicious content. If the request message does not contain malicious content, it is sent through the firewall to proceed to Services C, D, and E for further processing.

CThe Brokered Authentication pattern is applied by extending the firewall functionality with a single sign-on mechanism. Because the firewall already restricts accesses to Service Inventory B, adding authentication logic to the firewall optimizes the performance of the overall security architecture. Service B needs to be authenticated by the authentication broker only once in order to get a security token that can be used to access Services C,D,and E .This eliminates the need for Service B to authenticate several times during the same service composition.

DThe Data Confidentiality pattern is applied together with the Direct Authentication pattern. A new utility service is created tovalidate request messages sent to Service Inventory B .Service B must encrypt the message content using the utility service's public key and attach its own digital certificate to the request message. This message is first evaluated by the firewall to filter out requests from disallowed sources and can then be forwarded to the utility service, which then verifies the identity of the message originator (using a digital certificate) and decrypts the request message contents. If the originator is authorized to access Services C, D, and E, the appropriate request messages are sent to these services.

Show Answer

Correct Answer: A

Question No. 2

Service Consumer A sends a request message with an authentication token to Service A, but before the message reaches Service A, it is intercepted by Service Agent A (1). Service Agent A validates the security credentials and also validates whether the message is compliant with Security Policy A .If either validation fails, Service Agent A rejects the request message and writes an error log to Database A (2A). If both validations succeed, the request message is sent to Service A (2B). Service A retrieves additional data from a legacy system (3) and then submits a request message to Service B Before arriving at Service B, the request message is intercepted by Service Agent B (4) which validates its compliance with Security Policy SIB then Service Agent C (5) which validates its compliance with Security Policy B .If either of these validations fails, an error message is sent back to Service A .that then forwards it to Service Agent A so that it the error can be logged in Database A (2A). If both validations succeed, the request message is sent to Service B (6). Service B subsequently stores the data from the message in Database B (7). Service A and Service Agent A reside in Service Inventory A .Service B and Service Agents B and C reside in Service Inventory B .Security Policy SIB is used by all services that reside in Service Inventory B .Service B can also be invoked by other service from within Service Inventory B .Request messages sent by these service consumers must also be compliant with Security Policies SIB and B .New services are being planned for Service Inventory A .To accommodate service inventory-wide security requirements, a new security policy (Security Policy SIA) has been created. Compliance to Security Policy SIA will be required by all services within Service Inventory A .Some parts of Security Policy A and Security Policy SIB are redundant with Security Policy SIA .How can the Policy Centralization pattern be correctly applied to Service Inventory A without changing the message exchange requirements of the service composition?

AThe parts of Security Policy A and Security Policy SIB that are redundant with Security Policy SIA are removed so that there is no overlap among these three security policies. A new service agent is introduced into Service Inventory A to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agent A .Another new service agent is introduced into Service Inventory B to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agents B and C .

BThe parts of Security Policy A that are redundant with Security Policy SIA are removed so that there is no overlap between these two security policies. A new service agent is introduced into Service Inventory A to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agent A .

CThe parts of Security Policy A and Security Policy SIB that are redundant with Security Policy SIA are removed so that there is no overlap among these three security policies. Service Agent A is updated so that it can validate messages for compliance with both Security Policy A and Security Policy SIA .Service Agent B is updated so that it can validate messages for compliance with both Security Policy SIA and Security Policy SIB .Service Agent C remains unchanged.

DDue to the amount of overlap among Security Policy A, Security Policy SIA, and Security Policy SIB, the Policy Centralization pattern cannot be correctly applied without changing the message exchange requirements of the service composition.

Show Answer

Correct Answer: B

Question No. 3

Service Consumer A submits a request message with security credentials to Service A (1). The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5). Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain B .(The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other. Communication between Service A and the legacy system is kept confidential using transport-layer security. It was recently discovered that a malicious attacker, posing as Service Consumer A, has been accessing Service A .An investigation revealed that these attacks occurred because security credentials supplied by Service Consumer A were transmitted in plaintext. Furthermore, vulnerabilities to replay attacks and malicious intermediaries have been detected. Which of the following statements describes a solution that can counter these types of attacks?

Also, list the industry standards required by the proposed solution.

AApply the Data Origin Authentication pattern together with the Data Confidentiality pattern in order to establish message-layer security that guarantees the confidentiality and integrity of messages exchanged by Service Consumer A and Service A .Further, a security policy can be created to require that security credentials submitted to Service A must be digitally signed and encrypted and also contain a timestamp to validate the actual time the request was issued. Industry standards that can be used for this solution are WS-Policy, WS-Security-Policy, XMLEncryption, and XML-Signature.

BApply the Service Perimeter Guard pattern together with the Trusted Subsystem pattern to establish a perimeter service that can perform security functions on behalf of Service A .Theutility service can verify the validity of the request messages from Service Consumer A by authenticating the request message against an identity store. If the request message is authenticated, the utility service then sends it to Service A for further processing. All communications between Service A and Service Consumer A can be encrypted using the public key of the intended recipient, and signed using the private key of the sender. Industry standards that can be used for this solution are XML-Encryption, XML-Signature, and WS-Trust.

CApply the Service Perimeter Guard pattern to establish a perimeter service that can perform security functions on behalf of-Service A .Next, apply the Data Confidentiality pattern so that the security credential information provided by Service Consumer A with the request message is encrypted with the secret key shared between the perimeter service and Service Consumer A .The perimeter service evaluates the credentials and if successfully authenticated, forwards the request message to Service A .Transport-layer security is used to protect message exchanges between Service A and Service Consumer A .

DApply the Trusted Subsystem pattern together with the Data Origin Authentication pattern in order to establish a utility service-that performs the security processing on behalf of Service A .Service Consumer A must digitally sign all request messages and encrypt the credential information using the public key of the utility service. The utility service can then verify the security credentials and the digital signature to establish the validity of the request message. If the request message is permitted, the utility service establishes a composite trust domain that encompasses Service Consumer A, Service A, Database A, and the legacy system. Because all communications remain within a single trust domain, malicious intermediaries will not be able to gain access to any exchanged data.

Show Answer

Correct Answer: A

Question No. 4

Service Consumer A sends a request message to Service A (1), after which Service A sends a request message to Service B (2). Service B forwards the message to have its contents calculated by Service C (3). After receiving the results of the calculations via a response message from Service C (4), Service B then requests additional data by sending a request message to Service D (5). Service D retrieves the necessary data from Database A (6), formats it into an XML document, and sends the response message containing the XML-formatted data to Service B (7). Service B appends this XML document with the calculation results received from Service C, and then records the entire contents of the XML document into Database B (8). Finally, Service B sends a response message to Service A (9) and Service A sends a response message to Service Consumer A (10). Services A, B and D are agnostic services that belong to Organization A and are also being reused in other service compositions. Service C is a publicly accessible calculation service that resides outside of the organizational boundary. Database A is a shared database used by other systems within Organization A and Database B is dedicated to exclusive access by Service B .Recently, Service D received request messages containing improperly formatted database retrieval requests. All of these request messages contained data that originated from Service C .There is a strong suspicion that an attacker from outside of the organization has been attempting to carry out SOL injection attacks. Furthermore, it has been decided that each service that writes data to a database must keep a separate log file that records a timestamp of each database record change. Because of a data privacy disclosure requirement used by Organization A, the service contracts of these services need to indicate that this logging activity may occur. How can the service composition architecture be improved to avoid SQL injection attacks originating from Service C - and - how can the data privacy disclosure requirement be fulfilled?

AApply the Service Perimeter Guard pattern together with the Message Screening pattern in order to establish a perimeter service with message screening logic. Position the perimeter service between Service C and Service B .The message screening logic rejects or filters out potentially harmful content in messages sent from Service C, prior to being forwarded to Service B .Secondly, update the service contracts for Services B and D with an optional WS-Policy assertion that provides service consumers with the option of complying to the logging requirements.

BApply the Data Origin Authentication pattern to authenticate data received from Service C .Service C digitally signs any datasent in response messages to Service B .Service B can then verify that the data has not been modified during transit and that it originated from Service C .Secondly, update the service contracts for Services B and D with an ignorable WS-Policy assertion that communicates the possibility of the logging activity.

CApply the Data Origin Authentication pattern to authenticate data received from Service C .Service C digitally signs any datasent in response messages to Service B .Service B can then verify that the data has not been modified during transit and that it originated from Service C .Secondly, update the service contracts for Services B and D with an ignorable WS-Policy assertion that communicates the possibility of the logging activity. The service contracts for Services B and D are updated with an optional WS-Policy assertion that provides service consumers with the option of complying to the logging requirements.

DApply the Message Screening pattern in order to establish a service agent with message screening logic. Position the service agent between Service C and Service B .The service agent's message screening logic can reject or filter out potentially harmful content in messages sent from Service C, before being processed by Service B .Secondly, update the service contracts for Services B and D with an ignorable WS-Policy assertion that communicates the possibility of the logging activity.

Show Answer

Correct Answer: D

Question No. 5

Services A, B, and C reside in Service Inventory A and Services D, E, and F reside in Service Inventory B .Service B is an authentication broker that issues WS-Trust based SAML tokens to Services A and C upon receiving security credentials from Services A and C .Service E is an authentication broker that issues WS-Trust based SAML tokens to Services D and F upon receiving security credentials from Services D and E .Service B uses the Service Inventory A identify store to validate the security credentials of Services A and C .Service E uses the Service Inventory B identity store to validate the security credentials of Services D and F .It is decided to use Service E as the sole authentication broker for all services in Service Inventories A and B .Service B is kept as a secondary authentication broker for load balancing purposes. Specifically, it is to be used for situations where authentication requests are expected to be extra time consuming in order to limit the performance burden on Service E .Even though Service B has all the necessary functionality to fulfill this new responsibility, only Service E can issue SAML tokens to other services. How can these architectures be modified to support these new requirements?

AWhen time consuming authentication requests are identified, Service E can forward them to Service B .Upon performing the authentication, Service B sends its own signed SAML token to Service E .Because Service E trusts Service B .it can use the Service B-specific SAML token to issue an official SAML token that is then sent to the original service consumer (that requested authentication) and further used by other services.

BTo provide load balancing, a service agent needs to be implemented to intercept all incoming requests to Service E .The-service agent uses a random distribution of the authentication requests between Service B and Service E .Because the request messages are distributed in a random manner, the load between the two authentication brokers is balanced.

CBecause both Service B and Service E issue SAML tokens, these tokens are interchangeable. In order for both services to-receive the same amount of authentication requests, a shared key needs to be provided to them for signing the SAML tokens. By signing the SAML tokens with the same key, the SAML tokens generated by Service B cannot be distinguished from the SAML tokens generated by Service E .

DBecause the federation requirements ask for SAML tokens generated by Service E, Service B cannot function as an-authentication broker. To address the load balancing requirement, a new utility service needs to be introduced to provide functionality that is redundant with Service E .This essentially establishes a secondary authentication broker to which Service E can defer time-consuming authentication tasks at runtime.

Show Answer

Correct Answer: B

Unlock All Questions for Arcitura Education S90.20 Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 30 Questions & Answers