Security is driven by requirement and design and we implement security on the basis of the requirements provided by analysts. In this book, we take a programmatic approach to understand Java EE and GlassFish security.You will find plenty of code samples in this book. It is easy to secure your application when you have a demonstration of a complete and working application explained in the book, isn't it? Each chapter starts with the importance and relevance of the topic by introducing some Java EE applications requirement, which will encourage you to read it further.This book is for application designers, developers and administrators who work with GlassFish and are keen to understand Java EE and GlassFish security.To take full advantage of this book, you need to be familiar with Java EE and GlassFish application servers. You will love this book if you are looking for a book that covers Java EE security and using GlassFish features to create secure Java EE applications, or to secure the GlassFish installation and operating environment and using OpenSSO.
GlassFish Security
and over one million other books are available for Amazon Kindle. Learn more
 |
| |||||||||||||||
Shop the Amazon.com Textbooks Store and save up to 70% on textbook rentals, 90% on used textbooks and 60% on eTextbooks. |
Book Description
Frequently Bought Together
Editorial Reviews
About the Author
Masoud Kalali
Masoud Kalali has a software engineering degree and has been working on software development projects since 1998. He has experience with a variety of technologies (.NET, J2EE, CORBA, and COM+) on diverse platforms (Solaris, Linux, and Windows). His experience is in software architecture, design, and server-side development.
Masoud has published several articles at Java.net and Dzone. He has authored multiple refcards, published by Dzone, including Using XML in Java, Java EE Security and GlassFish v3 refcards. He is one of founder members of NetBeans Dream Team and a GlassFish community spotlighted developer.
Masoud's main area of research and interest includes service-oriented architecture and large scale systems' development and deployment and in his leisure time he enjoys photography, mountaineering and camping.
Masoud blog on Java EE, Software Architecture and Security at his java.net blog and you can follow him at his twitter account
Masoud can be reached via Kalali@gmail.com in case you had some queries about the book or if you just felt like talking to him about software engineering.
Product Details
Would you like to update product info or give feedback on images? |
Customer Reviews
Most Helpful Customer Reviews
1 of 1 people found the following review helpful
5.0 out of 5 stars
In depth coverage of most if not all security topics with GlassFish
July 31, 2010
Format:Paperback
This is a comprehensive book that covers all if not all security topics that have to do with GlassFish -- I checked all cases that I ran into when I was using / developing on / developing GlassFish. In all cases, the book did an excellent job in describing how GlassFish works, and how to setup or program the security aspects in question.
If you're working with GlassFish, this book deserves a place on your bookshelf!
(Full disclosure: the publisher sent me a free copy for evaluation)
If you're working with GlassFish, this book deserves a place on your bookshelf!
(Full disclosure: the publisher sent me a free copy for evaluation)
1 of 1 people found the following review helpful
By M. Eisele
Format:Paperback
The content
The book has eight chapters. After a short introduction to the Java EE security model in chapter one it moves on to GlassFish security realms. Another twenty something pages tell you about designing and developing secure Java EE applications. Chapter four dives into secure GlassFish environments followed by the fifth chapter caring for a secure GlassFish itself. Done with those, you are half through at page 146. The second half of the book is dedicated to two other products from the former Sun stack. Open Directory Services (OpenDS) is introduced in Chapter six. Followed by an introduction to OpenSSO (Open Single Sign-On) in chapter seven. Chapter eight describes how to secure Java EE applications using OpenSSO. The last chapter nine is dedicated to Web Service security with Open SSO. Each chapter is finished by a separate summary. The book closes with an index. Makes 275 content pages.
Writing and style
The book is an easy read. Not to complicated even for non native speakers like me. The author takes the time and space needed to describe most basic concepts and contexts. Very frequent links and tips in separate boxes help the reader to find out more about most of the topics. I also like the paperback and the format. It is easy to carry around and to use it as a reference book.
My expectations
To be honest, I expected to read more about GlassFish and security as the title promised. Half the book the author is working with OpenDS and OpenSSO. Both not part of the GlassFish family and not necessarily related to Enterprise Java development. For sure, both products address problems developers face working. But every enterprise has it's own solution for this. And I personally do meet commercial products far more often.
The Java EE security basics are suitable for beginners. Nothing new to me and quite surprising, because I was looking for GlassFish specific content. It was there but only in between and not too prominent.
The most valuable to me are the GlassFish specific chapters about secure environments, realms and security administration.
I was disappointed not to see any personal tips and best practices from the author. As already said, he has quite some experience and you can even feel this reading the chapters. But the details are missing.
Conclusion and recommendation
After all my criticism: This is a good book worth reading. Not only for experts but especially for beginners. The experts might like it as reference book. Beginners get a most complete introduction to all security related issues around Java EE with GlassFish 2 and 3. Even if you should know Java EE and GlassFish prior to reading.
The book has eight chapters. After a short introduction to the Java EE security model in chapter one it moves on to GlassFish security realms. Another twenty something pages tell you about designing and developing secure Java EE applications. Chapter four dives into secure GlassFish environments followed by the fifth chapter caring for a secure GlassFish itself. Done with those, you are half through at page 146. The second half of the book is dedicated to two other products from the former Sun stack. Open Directory Services (OpenDS) is introduced in Chapter six. Followed by an introduction to OpenSSO (Open Single Sign-On) in chapter seven. Chapter eight describes how to secure Java EE applications using OpenSSO. The last chapter nine is dedicated to Web Service security with Open SSO. Each chapter is finished by a separate summary. The book closes with an index. Makes 275 content pages.
Writing and style
The book is an easy read. Not to complicated even for non native speakers like me. The author takes the time and space needed to describe most basic concepts and contexts. Very frequent links and tips in separate boxes help the reader to find out more about most of the topics. I also like the paperback and the format. It is easy to carry around and to use it as a reference book.
My expectations
To be honest, I expected to read more about GlassFish and security as the title promised. Half the book the author is working with OpenDS and OpenSSO. Both not part of the GlassFish family and not necessarily related to Enterprise Java development. For sure, both products address problems developers face working. But every enterprise has it's own solution for this. And I personally do meet commercial products far more often.
The Java EE security basics are suitable for beginners. Nothing new to me and quite surprising, because I was looking for GlassFish specific content. It was there but only in between and not too prominent.
The most valuable to me are the GlassFish specific chapters about secure environments, realms and security administration.
I was disappointed not to see any personal tips and best practices from the author. As already said, he has quite some experience and you can even feel this reading the chapters. But the details are missing.
Conclusion and recommendation
After all my criticism: This is a good book worth reading. Not only for experts but especially for beginners. The experts might like it as reference book. Beginners get a most complete introduction to all security related issues around Java EE with GlassFish 2 and 3. Even if you should know Java EE and GlassFish prior to reading.
1 of 1 people found the following review helpful
Format:Paperback
GlassFish is Sun Microsystems open source application server. It is a competitor to Jboss AS and Apache Geronimo in the open source arena, and is my app server of choice.
Packt Publishing requested that I review one of their latest titles on the subject of GlassFish: GlassFish Security by Masoud Kalali, available to buy from Packt's web site.
GlassFish Security has been a worth while read, adding to my awareness and knowledge of Java EE security best practices. I will definitely be applying the information presented in the book to current projects and future system design and development work.
GlassFish Security covers a very wide range of security topics, some of which will be applicable to web applications deployed on any JEE application server, whilst others are GlassFish and even host operating system specific.
The book doesn't just focus on programmatic security, making use of security APIs, annotations and XML configuration, but takes more of a complete systems view. OS and network security constraints, as well as enterprise wide system architecture considerations are explored.
The book is targeted at developers and system administrators, who have a sound footing working with JEE application servers, EJB development and have a working knowledge of Linux. To fully take advantage of this book you should know your way around the latest versions of GlassFish and probably NetBeans, have a Debian or Ubuntu install available, and have a keen interest in designing systems with security built in from the start.
The title of the book could quite easily have been GlassFish Security with OpenDS and OpenSSO, as they feature heavily in the later chapters. If your project has no need to interact with an LDAP server, or your organisation has no strategy for a single sign on solution or identity federation management, then these chapters may not be useful to you.
The book starts out from first principals with an overview of Java EE architecture and application modularisation and deployment. It's a slow start for an audience with experience of developing enterprise Java applications, but it establishes common terminology and is a good starting point to introduce fundamental security topics from.
The pace quickly picks up, security concepts such as authentication and authorisation, programmatic EJB security, XML configuration vs annotations, and roles, principals and groups are explained and demonstrated.
Covered next are the default security realms available to GlassFish and how to implementing custom realms and authentication methods.
A source code download for this and subsequent chapters is provided, although currently the source code for chapter two seems to be a duplicate of chapter three. Also, the book states that the build and deployment system used for the source is Maven, which it isn't. The source comes with standard NetBeans project files which use Ant for build and deployment.
Chapter three is probably the most useful for developers starting out with EJB development and web application security, and where the first real bit of programming starts. The chapter guides us through the end-to-end development and deployment of a JEE web application. The code uses a JPA persistence layer for accessing a MySQL database, a servlet containing some business logic and a simple JSP front end. Security constraints are are applied to the application, with authentication and authorisation done via interaction with a file security realm.
Some Linux administration knowledge is required for the next chapter concerned with locking down security on the host operating system and Java virtual machine. The examples given are intended for Debian based Linux distributions and consist of configuring user, file system, disk quota, network interface and port restrictions. JVM and GlassFish policy file configuration are explored, as well as a discussion on the advantages of enabling default auditing modules.
Naturally following on from the previous chapter, chapter five is concerned with configuring the GlassFish server itself, both from the command line and the admin interface. Restricting the IP addresses authorised to access network listeners and isolating applications using virtual servers are covered.
From chapter six onwards the book takes more of an architectural approach to security considerations.
This chapter describes to us the hierarchical nature of security data, and why it might not be best stored in a relational database, and instead in a directory service. OpenDS, an open source LDAP server is introduced, and its installation, administration, configuration and integration with our applications are explored.
Chapters seven, eight and nine, the remainder of the book, revolve around another open source project OpenSSO. OpenSSO is a single sign on solution which integrates seamlessly with GlassFish. Useful topics from chapter seven include using RESTful calls to the OpenSSO API to authenticate and authorise users.
Chapter eight introduces SSO Agents and filters configured in an applications web.xml to intercept calls and apply security measures. OpenSSO allows for very fine grained access controls which require no changes to application code and can be managed all from one place, very useful stuff that I'd like to take advantage of in future systems.
Finally, chapter nine builds on how to use OpenSSO in conjunction with a Web Services Agent to secure a simple SOAP web service deployed on GlassFish.
Overall this is a good book, covering a much wider range of security aspects than I expected. It gives you a great starting point on a breadth of topics but doesn't get to cover them in great depth.
As a developer I would have liked to see more advanced examples for chapters one to five, really getting to the nitty gritty of some real world examples. Maybe some advice on good practice when faced with tough design choices, how to avoid common pitfalls, security patterns and anti-patterns; the sort off stuff above and beyond what you might get from online GlassFish tutorials and Javadoc.
OpenSSO probably deserves a book in its own right, and although I have no immediate application for the information in the chapters that feature it, I'm glad I read them and now have a basic understanding to build on in the future. GlassFish Security benefits form these inclusions and they help it to be the comprehensive introduction to security that it is.
I was disappointed that source code printed in the book and available for download occasionally contained errors and wasn't supplied with Maven build scripts. These things slightly reduce the quality of an otherwise well written and well structured book.
I will definitely be implementing some of the information presented in this book in future Enterprise Java projects; I'll always consider the pros and cons of using a directory server before storing user credentials in relational tables; and GlassFish Security will be my first reference when considering system security design and implementation.
Packt Publishing requested that I review one of their latest titles on the subject of GlassFish: GlassFish Security by Masoud Kalali, available to buy from Packt's web site.
GlassFish Security has been a worth while read, adding to my awareness and knowledge of Java EE security best practices. I will definitely be applying the information presented in the book to current projects and future system design and development work.
GlassFish Security covers a very wide range of security topics, some of which will be applicable to web applications deployed on any JEE application server, whilst others are GlassFish and even host operating system specific.
The book doesn't just focus on programmatic security, making use of security APIs, annotations and XML configuration, but takes more of a complete systems view. OS and network security constraints, as well as enterprise wide system architecture considerations are explored.
The book is targeted at developers and system administrators, who have a sound footing working with JEE application servers, EJB development and have a working knowledge of Linux. To fully take advantage of this book you should know your way around the latest versions of GlassFish and probably NetBeans, have a Debian or Ubuntu install available, and have a keen interest in designing systems with security built in from the start.
The title of the book could quite easily have been GlassFish Security with OpenDS and OpenSSO, as they feature heavily in the later chapters. If your project has no need to interact with an LDAP server, or your organisation has no strategy for a single sign on solution or identity federation management, then these chapters may not be useful to you.
The book starts out from first principals with an overview of Java EE architecture and application modularisation and deployment. It's a slow start for an audience with experience of developing enterprise Java applications, but it establishes common terminology and is a good starting point to introduce fundamental security topics from.
The pace quickly picks up, security concepts such as authentication and authorisation, programmatic EJB security, XML configuration vs annotations, and roles, principals and groups are explained and demonstrated.
Covered next are the default security realms available to GlassFish and how to implementing custom realms and authentication methods.
A source code download for this and subsequent chapters is provided, although currently the source code for chapter two seems to be a duplicate of chapter three. Also, the book states that the build and deployment system used for the source is Maven, which it isn't. The source comes with standard NetBeans project files which use Ant for build and deployment.
Chapter three is probably the most useful for developers starting out with EJB development and web application security, and where the first real bit of programming starts. The chapter guides us through the end-to-end development and deployment of a JEE web application. The code uses a JPA persistence layer for accessing a MySQL database, a servlet containing some business logic and a simple JSP front end. Security constraints are are applied to the application, with authentication and authorisation done via interaction with a file security realm.
Some Linux administration knowledge is required for the next chapter concerned with locking down security on the host operating system and Java virtual machine. The examples given are intended for Debian based Linux distributions and consist of configuring user, file system, disk quota, network interface and port restrictions. JVM and GlassFish policy file configuration are explored, as well as a discussion on the advantages of enabling default auditing modules.
Naturally following on from the previous chapter, chapter five is concerned with configuring the GlassFish server itself, both from the command line and the admin interface. Restricting the IP addresses authorised to access network listeners and isolating applications using virtual servers are covered.
From chapter six onwards the book takes more of an architectural approach to security considerations.
This chapter describes to us the hierarchical nature of security data, and why it might not be best stored in a relational database, and instead in a directory service. OpenDS, an open source LDAP server is introduced, and its installation, administration, configuration and integration with our applications are explored.
Chapters seven, eight and nine, the remainder of the book, revolve around another open source project OpenSSO. OpenSSO is a single sign on solution which integrates seamlessly with GlassFish. Useful topics from chapter seven include using RESTful calls to the OpenSSO API to authenticate and authorise users.
Chapter eight introduces SSO Agents and filters configured in an applications web.xml to intercept calls and apply security measures. OpenSSO allows for very fine grained access controls which require no changes to application code and can be managed all from one place, very useful stuff that I'd like to take advantage of in future systems.
Finally, chapter nine builds on how to use OpenSSO in conjunction with a Web Services Agent to secure a simple SOAP web service deployed on GlassFish.
Overall this is a good book, covering a much wider range of security aspects than I expected. It gives you a great starting point on a breadth of topics but doesn't get to cover them in great depth.
As a developer I would have liked to see more advanced examples for chapters one to five, really getting to the nitty gritty of some real world examples. Maybe some advice on good practice when faced with tough design choices, how to avoid common pitfalls, security patterns and anti-patterns; the sort off stuff above and beyond what you might get from online GlassFish tutorials and Javadoc.
OpenSSO probably deserves a book in its own right, and although I have no immediate application for the information in the chapters that feature it, I'm glad I read them and now have a basic understanding to build on in the future. GlassFish Security benefits form these inclusions and they help it to be the comprehensive introduction to security that it is.
I was disappointed that source code printed in the book and available for download occasionally contained errors and wasn't supplied with Maven build scripts. These things slightly reduce the quality of an otherwise well written and well structured book.
I will definitely be implementing some of the information presented in this book in future Enterprise Java projects; I'll always consider the pros and cons of using a directory server before storing user credentials in relational tables; and GlassFish Security will be my first reference when considering system security design and implementation.
Most Recent Customer Reviews
2.0 out of 5 stars
Does'nt worth the money
I found this book as a collection of google-able basic material on Glassfish, OpenDS and OpenSSO. The book provides high-level guidance to a Glassfish programmer on the basics but... Read more
Published on October 23, 2010 by Prasad Reddy
4.0 out of 5 stars
no maths details needed
The use of security in a java application is an important and potentially complex issue. Especially when it comes to having that application use security data from an external... Read more
Published on June 29, 2010 by W Boudville
4.0 out of 5 stars
"GlassFish Security" by Masoud Kalali
"GlassFish Security" by Masoud Kalali lives up to the motto printed on its cover -- "Community Experience Distilled. Read more
Published on June 22, 2010 by Dennis Gesker
