Customer Reviews

Core Security Patterns: Best Practices and Strategies for J2EE™, Web Services, and Identity Management

5 star:		(25)
4 star:		(4)
3 star:		(1)
2 star:		(1)
1 star:		(0)

 

 

This is the best book I ever had for Java security. This book talks everything you need to know about java security architecture and how to implement them with patterns. In addition to patterns, the book also recommends security bestpractices considerations for J2EE production, how to do proactive and reactive security assessments using well-defined checklists, security design case-study for portal. Undoubtedly, this book is very easy to understand, good code examples and nicely organized to support the needs of a Java developer. It is highly recommended for anyone wants to get involved with security architecture in J2EE applications and web services. If you are a Java guy..then go for it.

I have found all the Sun "Core" Java books to be a cut above, but this one differs in that while obviously Java-centric, much of the patterns dicussed are relevant to all development platforms. I'd recommend this book to developers and architects of web services and web applications regardless of their preferred development environment.

Considering how many other completely useless WS-Security references (and websites, and example programs, and...) I've been through, it was a huge relief to FINALLY find one that contains WORKING code for JAAS authorization. Even though I still don't have all the answers I need (thanks to truely hideous examples and the complete and utter lack of any worthwhile or accurate documentation in JWSDP 2.0) this book is worth its weight in gold, AFAIC.

They say there is an average of a 1000 web defacements a day on the Internet ( where do they get such statistics?). And yet, if you talk about security to an application development shop . . . until recently they looked at you like you were nuts.

That is changing and more high quality resources for secure code development are becoming available.

However, this book is going to be tough to beat.

Chapters one and two are forgettable, but that is forgiveable, because they only go to page 95 and there is 900 pages of real meat ahead. At 39.00 if this book is sold by the pound, it is one of the best buys on the shelf.

The author team does the best job I have seen in a long time of making the concept clear in plain english and then jumping into the here is how you do it.

NOTE: I loaned my copy to a friend who is a coder last Friday and he just called to tell me he loves the book, so at least two coders are pretty impressed with this one.

I am a Security consultant from one of the Big5 consulting organization and I am involved with building security for a bunch of large-scale business applications. I've been scouting on the Internet for months looking for relevant Java security material for defining architecture, patterns, API usage, how-tos, implementation options, best practices and deployment models that help me to make architectural and implementation decisions. After reading the book info got via google, I bought this book with confidence.....With almost 3 weeks of reading, I must say this is the book I had been looking for years.. and coincidently this book has answers to all my questions like a one-stop reference. The book digs into everything I needed to know about Java security and also the relevant architecture, patterns, best practices for building security in enterprise grade j2ee applications. From a security architect standpoint, I liked the following:

+ How-to's and when to use Java Security APIs (JCE, JCA, JSSE, JAAS, JCERT, SASL)
+ Implementing Security with JSP/Servlets/EJB/JDBC/JMS/J2EE connectors/JACC etc.
+ J2EE network topology options and how to design the network deployment for security and scalability
+ How to secure thick/thin clients, j2me clients interacting with server-side j2ee apps.
+ Practical scenarios for using WS-Security, XML Signature, XML Encryption, XKMS, XML Firewalls
+ Enabling Single sign-on and When to use SAML, Liberty ID-*, XACML.
+ Security architecture, patterns, best practices and pitfalls to consider in designing and deploying Web-based and EJB applications, Web services, Identity management and user account provisioning.
+ RUP based Application security methodology, risk analysis, trade-off analysis, policy design, testing, reality checks to consider before implementation.
+ How to use crypto for obfuscating, securely logging and auditing data within J2EE apps.
+ How to use PKI, hardware tokens, smartcards in Java based applications.
+ How to incorporate smartcards, biometric authentication technologies in J2EE apps.
+ Real-world case study architecture (for a web portal) showing how to demonstrate end-to-end security using patterns and best practices.

In addition, the authors cover extremely well on a number of subjects on security that J2EE application developers have to deal with every day. Having said that, With this book in hand, a J2EE architect would able to craft security by applying appropriate APIs and patterns compositely. This is my next book recommendation for all my team members embarking on a J2EE project. In all, this book will be a required reading for anyone who lays claim to be a security expert on J2EE.

This is a tome to be sure. It clocks in about a thousand pages with a weight to match. But this isn't a screen shot filled doorstop. This is an excellent theory level walkthrough of Java web standards, in addition to having implementation level code samples. It works on both counts that way, and that's pretty unusual for web services books.

The writing and illustrations are good. I quibble a little with the code formatting and the lack of annotation. But those are minor complaints for what is a fine work.

If you're building enterprise-level applications that do *anything* with security, this is a book you need to consider reading... Core Security Patterns - Best Practices and Strategies for J2EE, Web Services, and Identity Management by Christopher Steel, Ramesh Nagappan, and Ray Lai. If you need to know it, it's in here...

Contents:
Part 1 - Introduction: Security by Default; Basics of Security
Part 2 - Java Security Architecture and Technologies: The Java 2 Platform Security; Java Extensible Security Architecture and APIs; J2EE Security Architecture
Part 3 - Web Services Security and Identity Management: Web Services Security - Standards and Technologies; Identity Management Standards and Technologies
Part 4 - Security Design Methodology, Patterns, and Reality Checks: The Alchemy of Security Design - Methodology, Patterns, and Reality Checks;
Part 5 - Design Strategies and Best Practices: Securing the Web Tier - Design Strategies and Best Practices; Securing the Business Tier - Design Strategies and Best Practices; Securing Web Services - Design Strategies and Best Practices; Securing the Identity - Design Strategies and Best Practices; Secure Service Provisioning - Design Strategies and Best Practices
Part 6 - Putting It All Together: Building End-to-End Security Architecture - A Case Study
Part 7 - Personal Identification Using Smart Cards and Biometrics: Secure Personal Identification Strategies Using Smart Cards and Biometrics
Index

With the emphasis on Service Oriented Architecture (SOA) these days, it's likely that you'll be building systems that interact with other systems in ways you may not have envisioned. And it's a given that if someone is trusting you to provide a service, they're also trusting you to make sure that service interaction is secure. Core Security Patterns is an exhaustive volume on security as it relates to J2EE applications, web services, and other associated types of applications that drive today's business. The authors start out each section with a clear explanation of the issues involved in security for that given subject (like web services) and then go on to explain the different technologies that can be used to address those issues. They don't get into deep examination of specific APIs, but they do go into enough code to make a Java developer happy. After all the issues and options are presented, there's a presentation of security patterns that can be applied to a number of application scenarios. The value of patterns is that you can architect your system to take advantage of accumulated wisdom surrounding secure applications, without having to redesign the wheel. You'll still need to implement the design within your application, but the pattern gives you the overall structure you need to consider. With the core patterns found in this book, you shouldn't have to find yourself explaining why a significant security design was flawed.

With software systems handling billions of dollars in transactions each year, the stakes are high to ensure that the system is solid and secure. Not only is the dollar amount at stake incredibly high, the trust that others have in your organization hinges on this key area. Spending money on this book now greatly reduces your chances of spending millions to repair your systems later... Assuming you have an organization left to repair...

This is the third pattern book in my collection (the other two are Core J2EE patterns and the Enterprise Integration Patterns) and IMHO this is the best example oriented security book for demonstrating how patterns can be really applied in enetrprise application security situations. This is also the first security book I've seen that supports a real-world application development process where the real heavy lifting takes place in terms of using security methodology, then do security design by proactively identifying risks and secure them using patterns. The security patterns are well grouped to address the security issues with J2EE applcation tiers - web tier, business tier, web services tier, identity, user provisioning. I also liked the long-list of security best practices and pitfalls summarized in every patterns chapter - which helps a developer like me what are the security considerations I should be aware and make decisions before dropping the application in production. The authors also did a good job explaining all the required security fundamentals before we dive in to using patterns and best practices.

I'm now just less than half way through with this book. So far I find it very thorough and covers a lot of issues. The only problem I see so far is that it is full of typographical errors. The code examples are also full of errors. Overall I'm very happy I'm reading this book.

I found most of the other security books about this subject are three or more years old. In other words, too old to be useful.
This book covers every details about implementing security with java, from the details of java sandbox to j2ee security options and security for web services. The patterns and best practices are well discussed with good scenarios and sample code examples.

It's a really well done book and a good reference who wants to know best practices and techniques.