Enterprise Java™ Security: Building Secure J2EE™ Applications [Paperback]

Marco Pistoia (Author), Nataraj Nagaratnam (Author), Larry Koved (Author), Anthony Nadalin (Author)

Book Description

ISBN-10: 0321118898 | ISBN-13: 978-0321118899 | Publication Date: February 27, 2004 | Edition: 1

Enterprise Java™ Security: Building Secure J2EE™ Applications provides application developers and programmers with the know-how they need to utilize the latest Java security technologies in building secure enterprise infrastructures. Written by the leading Java security experts at IBM, this comprehensive guide covers the current status of the Java™ 2 Platform, Enterprise Edition (J2EE), and Java™ 2 Platform, Standard Edition (J2SE™), security architectures and offers practical solutions and usage patterns to address the challenges of Java security.

To aid developers who need to build secure J2EE applications, Enterprise Java™ Security covers at length the J2EE security technologies, including the security aspects of servlets, JavaServer Pages(TM) (JSP™), and Enterprise JavaBeans™ (EJB™)—technologies that are at the core of the J2EE architecture. In addition, the book covers Web Services security.

Examples and sample code are provided throughout the book to give readers a solid understanding of the underlying technology.

The relationship between Java and cryptographic technologies is covered in great detail, including:

• Java Cryptography Architecture (JCA)
• Java Cryptography Extension (JCE)
• Public-Key Cryptography Standards (PKCS)
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Java Secure Socket Extension (JSSE)

Editorial Reviews

From the Back Cover

“For a long time, there has been a need for a J2EE™ security book. I am very happy to see there is now a book that can answer many of the technical questions that developers, managers, and researchers have about such a critical topic. I am sure that this book will contribute greatly to the success of the J2EE platform and e-business.”

—From the Foreword by Steven A. Mills, Senior Vice President and Group Executive, Software Group, IBM Corporation

Enterprise Java™ Security: Building Secure J2EE™ Applications provides application developers and programmers with the know-how they need to utilize the latest Java security technologies in building secure enterprise infrastructures. Written by the leading Java security experts at IBM, this comprehensive guide covers the current status of the Java™ 2 Platform, Enterprise Edition (J2EE), and Java™ 2 Platform, Standard Edition (J2SE™), security architectures and offers practical solutions and usage patterns to address the challenges of Java security.

To aid developers who need to build secure J2EE applications, Enterprise Java™ Security covers at length the J2EE security technologies, including the security aspects of servlets, JavaServer Pages(TM) (JSP™), and Enterprise JavaBeans™ (EJB™)—technologies that are at the core of the J2EE architecture. In addition, the book covers Web Services security.

Examples and sample code are provided throughout the book to give readers a solid understanding of the underlying technology.

The relationship between Java and cryptographic technologies is covered in great detail, including:

• Java Cryptography Architecture (JCA)
• Java Cryptography Extension (JCE)
• Public-Key Cryptography Standards (PKCS)
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Java Secure Socket Extension (JSSE)

0321118898B01122004

About the Author

Marco Pistoia is a Research Staff Member in the Java and Web Services Security department at the IBM T. J. Watson Research Center in Yorktown Heights, New York. He has written ten books and several conference papers and journal articles, and has also presented worldwide on all areas of Java and e-business security. Most recently, he was the lead author of the book Java 2 Network Security, Second Edition (Prentice Hall, 1999).

Nataraj Nagaratnam is a Senior Technical Staff Member and the lead security architect for IBM’s WebSphere software family in Raleigh, North Carolina. He has coauthored the Web Services security specifications and actively participates in the Java community process on the topics related to J2EE security. He was the lead author of one of the first books on Java networking, Java Networking and AWT API SuperBible (Waite Group Press, 1996).

Larry Koved is a Research Staff Member and the manager of the Java and Web Services Security department at the IBM T. J. Watson Research Center in Yorktown Heights, New York. He was actively involved in the design of JAAS and the EJB V1.1 security architecture, has published over twenty-five articles and technical reports, and has presented at conferences worldwide.

Anthony Nadalin is a Senior Technical Staff Member and IBM Software Group’s lead security architect for Java and Web Services in Austin, Texas. He is responsible for security infrastructure design and development across IBM, Tivoli, and Lotus. He has authored and coauthored over thirty technical journal and conference articles, as well as the book Java and Internet Security (iUniverse.com, 2000).

0321118898AB01122004

See all Editorial Reviews

Product Details

• Paperback: 608 pages
• Publisher: Addison-Wesley Professional; 1 edition (February 27, 2004)
• Language: English
• ISBN-10: 0321118898
• ISBN-13: 978-0321118899
• Product Dimensions: 9.1 x 7 x 1.4 inches
• Shipping Weight: 1.8 pounds (View shipping rates and policies)
• Average Customer Review: 3.6 out of 5 stars  See all reviews (15 customer reviews)
• Amazon Best Sellers Rank: #1,772,257 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

8 of 8 people found the following review helpful:

4.0 out of 5 stars A good book on Java security, July 14, 2004

By 

Frank Cohen (Silicon Valley, California) - See all my reviews
(REAL NAME)   

This review is from: Enterprise Java™ Security: Building Secure J2EE™ Applications (Paperback)

This book makes me nostalgic for the early SAMS Publishing Unleashed series of books on Java. Remember when you first learned what a servlet was? That's the feeling I get when reading Enterprise Java Security. The book does a good job explaining how Secure Sockets Layer (SSL,) object-level security, Kerberos, and legacy security came about. It then shows detailed examples with sample code how to implement each of the security techniques. The text is surprisingly complete, including coverage of Web Service Security protocols and techniques.

9 of 10 people found the following review helpful:

4.0 out of 5 stars A solid resource, March 9, 2004

By 

Lasse Koskela (Helsinki, Finland) - See all my reviews
(REAL NAME)   

This review is from: Enterprise Java™ Security: Building Secure J2EE™ Applications (Paperback)

Security is a topic which often seems to be given too little thought. This book gives a hand for the J2EE developer new to security on a Java platform and, especially, on the J2EE platform.

The book has been split into five parts. I have gathered my thoughts about each in their separate paragraphs below.

Part I discusses about the needs of enterprise application security in general, and how these needs are associated with the J2EE components on a two or three-tier architecture, illustrated with pretty pictures of firewalls etc. The discussion is high-level in nature and acts mainly as a smooth entry into the mind-set of implementing security into your application.

Part II takes the focus inside J2EE and shows what kind of handles the J2EE architecture provides for security-related services such as authentication and authorization. Basically, this part of the book explains the programmatic and declarative security for web applications and Enterprise JavaBean components. The writing is very easy to understand but I would've liked to see one or two complete examples of a deployment descriptor instead of just small snippets. To me, seeing a full example would seem like a great way to tie things up in the context.

Part III, titled "The Foundations of Java 2 Security", is something I'm sure I'll come back to when I have to deal with J2SE security. The authors describe the whole shebang from class loaders to security managers and the horde of different types of permissions. This part also includes a chapter about the Java Authentication and Authorization Service (JAAS), which is top-notch amongst those I've seen about the subject. Clear writing combined with precise and illustrative examples. The one topic that could've deserved some concrete usage help were the command-line utilities such as keytool and jarsigner. Also, applet security was only mentioned in passing (the word "applet" can't even be found from the index), which may or may not be significant for the reader.

Part IV is dedicated to the art of cryptography. After presenting the basics of cryptographic algorithms, secret and public-key cryptography, the authors continue by discussing how the selected algorithms affect the confidentiality, integrity, authenticity, and non-repudiation properties of data. The chapters also discuss digital signatures, certificates, and key distribution on a high level. The rest of the fourth part shows how the JCA and JCE frameworks are built (i.e. how the pluggable implementation architecture works) and how the relevant APIs are used. The Java Secure Socket Extension (JSSE) for SSL is also presented with a couple of very nice examples including server and client authentication.

The fifth and final part talks about "advanced" topics such as web services security and some security considerations for container providers (which seems a bit out-of-place in this book). The subjects are covered only very superficially, which is understandable because the area of web services security admittedly requires a whole book to discuss in detail.

I can recommend this book as a solid source of information for J2EE security topics. Accompanied with vendor-specific documentation on deployment and configuration issues, you probably won't need anything else for your security needs. Its biggest weakness, in my opinion, is the lack of more complete sample code which could've at least been published online.

6 of 6 people found the following review helpful:

4.0 out of 5 stars Bird's Eye View on J2EE Security, December 5, 2004

By 

Herryanto Siatono (Singapore) - See all my reviews
(REAL NAME)   

This review is from: Enterprise Java™ Security: Building Secure J2EE™ Applications (Paperback)

If you know nothing about Java Security, this book will be a good book for you to fly over the air and see what's inside J2EE security. It basically covers Java security architecture, EJB and web Application security, plus an overview on PKCS and S/MIME and Web Services security.

If you have known about JCA, JCE, JAAS, JSSE, you have known half of the book's content. If you have developed EJB and Web applications, you have known another quarter of this book.