Enterprise Java Security: Building Secure J2EE Applications

The first thing to say to anyone considering buying a book on the topic of enterprise Java security is that the topic is vast and constantly changing. No single book could satisfy every need. That being said, this book comes as close as any one book is likely to. I've been using this book for several weeks now and I have found it extremely valuable. Since I make my living helping people write better Java code I was dismayed by the assumption in some of the code examples that FileInputStream's available() method is guaranteed to return the total size of the file. (The code on pages 430-431 is just one example.)A loop is required for code that must work every time. Since I didn't find any infomation in the book about where to submit errors or comments I will mention one more--admittedly small--item here: on page 363 "9" is printed where "q" is meant. It's an interesting typo because it suggests this portion of the manuscript may have been originally written by hand and then transcribed by someone non-technical. Or perhaps I've been studying cryptography so much lately I'm starting to decrypt things that aren't there. I would recommend this book to anyone seeking detailed and authoritative information on any aspect of J2EE security from the low level cryptography to high level architecture.

This book makes me nostalgic for the early SAMS Publishing Unleashed series of books on Java. Remember when you first learned what a servlet was? That's the feeling I get when reading Enterprise Java Security. The book does a good job explaining how Secure Sockets Layer (SSL,) object-level security, Kerberos, and legacy security came about. It then shows detailed examples with sample code how to implement each of the security techniques. The text is surprisingly complete, including coverage of Web Service Security protocols and techniques.

The book starts off with an overview of Java and security landscape with quick introductions to things like Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE), Java Authentication and Authorization Service (JAAS), Java Secure Socket Extension (JSSE) and PKI. This chapter does a great job of introducing all of the security features in the Java platform and how they fit in the standard application development framework. There is a really nice picture on page 9 that sums up all of the security providers, services and components and how they fit together in J2SE and J2EE. After the introduction, the book moves into a discussion about firewall and some network architecture discussion. The second section (Chapter 3) of the book deals with J2EE security model. This section starts with a quick intro the J2EE components before moving into a discussion of the J2EE security roles and authorization model. After a quick example of using declarative security with EJB's, the authors then discuss authentication in the realm of HTTP and web applications with a quick intro to basic, form and certificate based authentication. The authors recommend the use of declarative security over programmatic security as a best-practice. I have to agree with that assessment and recommendation completely. But there are instances where declarative security is not possible and you have to resort to programmatic security. The chapter shows some simple code example to validate security role of a user in an EJB, and fetching user information in a web application.The next section of the book deals with JavaServer Pages (JSP) and Servlet security. The section starts with a quick intro of Servlets, Servlet life cycle, before moving into the authentication section. At first, the simple HTTP authentication mechanism is explained with a nice breakdown of the HTTP status code sent from the server to the browser along with a description of how the username and password are encoded on the client side. I really like the way this section was written as it didn't leave any ambiguity in how the process works. After basic authentication, we move on to Form-based authentication which is explained very simply along with the appropriate snippet that belongs in your web.xml file. Once again, the explanation and graphic does a great job of breaking down the authentication process down to the http communication between the browser and server. This section also briefly describes certificate-based authentication and single sing-on.After authentication, the section moves on the authorization or the roles part of the puzzle. In reading this section, I learned something new and really interesting. There is discussion of the RequestDispatcher object that allows you to use the forward() or include() method to create an invocation chain. In that scenario, the web container only authorizes the first invocation and not every forward or include that are part of the process. T

As companies move to expand their presence on the web beyond mere read-only brochureware, then java has become the preferred choice of language in which to write the web server side and, though to a lesser extent, even the client side. The book explains why this became so; like the fact that java now runs on most computers, enabling a development of code that can be easily migrated to different computers.But the opening up of a company's computers to the web has a downside. It exposes the company to a broad range of attacks; far more so than the traditional glass house mainframe with the occasionaly modem dialin. So an adopter of java for enterprise computing might reasonably ask: Can java provide adequate security?The book is devoted to answering that question. The authors expound on a slew of acronymic laden methods: JCA, JCE, PKCS, JSSE. All under the rubric of J2EE, which is the enterprise version of J2SE. It helps in many chapters to be versed in XML. The configuration files ("deployment descriptors") are all in XML. Acquaintance with the rudiments of public key cryptography wouldn't hurt either.There is one advantage of the book which the authors modestly decline to point out. The book says that all the authors are from IBM. But it doesn't say one way in which this is a plus. A certain unnamed company in Seattle keeps murmuring that java is owned by Sun, and that should you use java, you are tying your company's future to Sun, which has had revenue problems lately. But J2EE and J2SE and JCA (etc) are massively supported by other computer firms. IBM most prominently amongst these. In fact, IBM claims that its java effort is second only to Sun's. This book is a good statement of that.

Security is a topic which often seems to be given too little thought. This book gives a hand for the J2EE developer new to security on a Java platform and, especially, on the J2EE platform.The book has been split into five parts. I have gathered my thoughts about each in their separate paragraphs below.Part I discusses about the needs of enterprise application security in general, and how these needs are associated with the J2EE components on a two or three-tier architecture, illustrated with pretty pictures of firewalls etc. The discussion is high-level in nature and acts mainly as a smooth entry into the mind-set of implementing security into your application.Part II takes the focus inside J2EE and shows what kind of handles the J2EE architecture provides for security-related services such as authentication and authorization. Basically, this part of the book explains the programmatic and declarative security for web applications and Enterprise JavaBean components. The writing is very easy to understand but I would've liked to see one or two complete examples of a deployment descriptor instead of just small snippets. To me, seeing a full example would seem like a great way to tie things up in the context.Part III, titled "The Foundations of Java 2 Security", is something I'm sure I'll come back to when I have to deal with J2SE security. The authors describe the whole shebang from class loaders to security managers and the horde of different types of permissions. This part also includes a chapter about the Java Authentication and Authorization Service (JAAS), which is top-notch amongst those I've seen about the subject. Clear writing combined with precise and illustrative examples. The one topic that could've deserved some concrete usage help were the command-line utilities such as keytool and jarsigner. Also, applet security was only mentioned in passing (the word "applet" can't even be found from the index), which may or may not be significant for the reader.Part IV is dedicated to the art of cryptography. After presenting the basics of cryptographic algorithms, secret and public-key cryptography, the authors continue by discussing how the selected algorithms affect the confidentiality, integrity, authenticity, and non-repudiation properties of data. The chapters also discuss digital signatures, certificates, and key distribution on a high level. The rest of the fourth part shows how the JCA and JCE frameworks are built (i.e. how the pluggable implementation architecture works) and how the relevant APIs are used. The Java Secure Socket Extension (JSSE) for SSL is also presented with a couple of very nice examples including server and client authentication.The fifth and final part talks about "advanced" topics such as web services security and some security considerations for container providers (which seems a bit out-of-place in this book). The subjects are covered only very superficially, which is understandable because the area of web service