Programming Books C Java PHP Python Learn more Browse Programming Books
Sell yours for a Gift Card
We'll buy it for $2.00
Learn More
Trade in now
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management Hardcover – October 24, 2005

ISBN-13: 978-0131463073 ISBN-10: 0131463071 Edition: 1st

9 New from $19.00 20 Used from $1.70
Amazon Price New from Used from
Hardcover
"Please retry"
$19.00 $1.70
Paperback
"Please retry"
12%20Days%20of%20Deals%20in%20Books
NO_CONTENT_IN_FEATURE

Hero Quick Promo
12 Days of Kindle Book Deals
Load your library with Amazon's editors' picks, $2.99 or less each today only. Learn more

Product Details

  • Hardcover: 1088 pages
  • Publisher: Prentice Hall; 1 edition (October 24, 2005)
  • Language: English
  • ISBN-10: 0131463071
  • ISBN-13: 978-0131463073
  • Product Dimensions: 7.4 x 2.3 x 9.6 inches
  • Shipping Weight: 3.8 pounds
  • Average Customer Review: 4.7 out of 5 stars  See all reviews (31 customer reviews)
  • Amazon Best Sellers Rank: #242,604 in Books (See Top 100 in Books)

Editorial Reviews

From the Back Cover

Praise for Core Security Patterns

Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.

--Whitfield Diffie, inventor of Public-Key Cryptography

A comprehensive book on Security Patterns, which are critical for secure programming.

--Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security

As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts.

--Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.

This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry.

--Judy Lin, Executive Vice President, VeriSign, Inc.

Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side.

--Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference

As a trusted advisor, this book will serve as a Java developer s security handbook, providing applied patterns and design strategies for securing Java applications.

--Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase

Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.

--John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns

Core Security Patterns is the hands-on practitioner s guide to building robust end-to-end security into J2EE™ enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today s best practices for security in large-scale, industrial-strength applications.

The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME™ applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics.

Core Security Patterns covers all of the following, and more:

  • What works and what doesn t: J2EE application-security best practices, and common pitfalls to avoid
  • Implementing key Java platform security features in real-world applications
  • Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile
  • Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML
  • Designing secure personal identification solutions using Smart Cards and Biometrics
  • Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists
  • End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications


About the Author

Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's Pay.gov project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.

Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.

Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).




More About the Authors

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

When I first heard about my coworkers talking about this book, I thought "oh great, another J2EE book!"
Natalya Kilinski
Undoubtedly, this book is very easy to understand, good code examples and nicely organized to support the needs of a Java developer.
Hemant Kesarkar
If you develop Java or J2EE applications or Webservices and working on a security architecture, then you should read this book.
Prasad Reddy

Most Helpful Customer Reviews

15 of 17 people found the following review helpful By Hemant Kesarkar on January 20, 2006
Format: Hardcover
This is the best book I ever had for Java security. This book talks everything you need to know about java security architecture and how to implement them with patterns. In addition to patterns, the book also recommends security bestpractices considerations for J2EE production, how to do proactive and reactive security assessments using well-defined checklists, security design case-study for portal. Undoubtedly, this book is very easy to understand, good code examples and nicely organized to support the needs of a Java developer. It is highly recommended for anyone wants to get involved with security architecture in J2EE applications and web services. If you are a Java guy..then go for it.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
10 of 11 people found the following review helpful By Jerry Hewett on May 10, 2006
Format: Hardcover Verified Purchase
Considering how many other completely useless WS-Security references (and websites, and example programs, and...) I've been through, it was a huge relief to FINALLY find one that contains WORKING code for JAAS authorization. Even though I still don't have all the answers I need (thanks to truely hideous examples and the complete and utter lack of any worthwhile or accurate documentation in JWSDP 2.0) this book is worth its weight in gold, AFAIC.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
18 of 22 people found the following review helpful By Stephen Northcutt on November 11, 2005
Format: Hardcover
They say there is an average of a 1000 web defacements a day on the Internet ( where do they get such statistics?). And yet, if you talk about security to an application development shop . . . until recently they looked at you like you were nuts.

That is changing and more high quality resources for secure code development are becoming available.

However, this book is going to be tough to beat.

Chapters one and two are forgettable, but that is forgiveable, because they only go to page 95 and there is 900 pages of real meat ahead. At 39.00 if this book is sold by the pound, it is one of the best buys on the shelf.

The author team does the best job I have seen in a long time of making the concept clear in plain english and then jumping into the here is how you do it.

NOTE: I loaned my copy to a friend who is a coder last Friday and he just called to tell me he loves the book, so at least two coders are pretty impressed with this one.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
9 of 10 people found the following review helpful By Hugh K. Boyd on May 15, 2006
Format: Hardcover
I have found all the Sun "Core" Java books to be a cut above, but this one differs in that while obviously Java-centric, much of the patterns dicussed are relevant to all development platforms. I'd recommend this book to developers and architects of web services and web applications regardless of their preferred development environment.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
17 of 21 people found the following review helpful By Jack D. Herrington on November 12, 2005
Format: Hardcover
This is a tome to be sure. It clocks in about a thousand pages with a weight to match. But this isn't a screen shot filled doorstop. This is an excellent theory level walkthrough of Java web standards, in addition to having implementation level code samples. It works on both counts that way, and that's pretty unusual for web services books.

The writing and illustrations are good. I quibble a little with the code formatting and the lack of annotation. But those are minor complaints for what is a fine work.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
13 of 16 people found the following review helpful By Michael Somers on November 18, 2005
Format: Hardcover
I am a Security consultant from one of the Big5 consulting organization and I am involved with building security for a bunch of large-scale business applications. I've been scouting on the Internet for months looking for relevant Java security material for defining architecture, patterns, API usage, how-tos, implementation options, best practices and deployment models that help me to make architectural and implementation decisions. After reading the book info got via google, I bought this book with confidence.....With almost 3 weeks of reading, I must say this is the book I had been looking for years.. and coincidently this book has answers to all my questions like a one-stop reference. The book digs into everything I needed to know about Java security and also the relevant architecture, patterns, best practices for building security in enterprise grade j2ee applications. From a security architect standpoint, I liked the following:

+ How-to's and when to use Java Security APIs (JCE, JCA, JSSE, JAAS, JCERT, SASL)
+ Implementing Security with JSP/Servlets/EJB/JDBC/JMS/J2EE connectors/JACC etc.
+ J2EE network topology options and how to design the network deployment for security and scalability
+ How to secure thick/thin clients, j2me clients interacting with server-side j2ee apps.
+ Practical scenarios for using WS-Security, XML Signature, XML Encryption, XKMS, XML Firewalls
+ Enabling Single sign-on and When to use SAML, Liberty ID-*, XACML.
+ Security architecture, patterns, best practices and pitfalls to consider in designing and deploying Web-based and EJB applications, Web services, Identity management and user account provisioning.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
6 of 7 people found the following review helpful By Jimmy Chow on February 12, 2006
Format: Hardcover
There's no doubt this book has everything you need to know about J2EE security. Much of the book contains patterns and best practices that were incredibly valuable, and the authors seemed to have a focused direction that they wanted us to know the basics of security with Java platform, J2ee applications and XML web services - even an experienced J2EE developer will glean countless insights from this well-written details and code examples for security basics. After a thorough explanation on the basics, The authors describe useful security patterns for J2EE application architecture and design strategies for the presentation tier, business tier, and Web services tier with 6 dedicated chapters. Each chapter has a section on best practices and pitfalls, a must read which no other book comes close and this book counts 101 bullets of them.
The book has 2 chapters on Identity management explaining SAML, Liberty Alliance and XACML standards and how to implement them with patterns for enablins single sign-on, SAML assertions, Identity federation. The book also has 2 chapters on Service Provisioning for Identity management discussing SPML standard and how to use SPML with Java for synchronizing passwords with multiple apps. The chapter on Personal Identification using Smartcards and Biometrics shows architecture and implementation strategies for enabling smartcards and biometrics based authentication - which is very compelling for those interested on multi-factor authentication for J2EE applications.
The book summarizes with a Case study chapter, which shows how to build a secure portal using a patterns-driven security design methodology. The artifacts for risk analysis, trade-off analysis, policy design are very much usable in real world j2ee application security assessment.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Recent Customer Reviews


What Other Items Do Customers Buy After Viewing This Item?