Customer Reviews

Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation

5 star:		(5)
4 star:		(2)
3 star:		(2)
2 star:		(3)
1 star:		(1)

 

 

The Java 2 security APIs are large, complex, and quite difficult to understand (in fact, their complexity makes me very much afraid that their use will lead to widespread security problems in deployed Java applications, as application writers and site administrators are going to have a hard time keeping track of everything).

Unfortunately, this book provides a difficult and dense coverage of Java 2 security. While it is doggedly thorough in its treatment of the security APIs, it does not ease the task of "pulling it all together" for the reader; if your understanding of Java 2 security is fragmentary when you start reading this book, it will not feel any more coherent when you are done.

Much of the book has the feel of a "laundry list" to me; it reads as if the author felt he had to enumerate absolutely every security feature in Java 2. The result is that sections that are likely to be of marginal interest to most readers, such as PKI certificate management, receive about the same amount of coverage as subtle and important topics such as domain handling and permission checking.

The prose in this book is simply leaden; on a number of occasions, I found myself having to read a paragraph several times, simply to figure out what the author was trying to say.

While this book is invaluable for the information it contains (I will grant that it is much easier to navigate than Sun's security web pages), it is a great disappointment to me.

This uninspired coverage of the Security API is a real disappointment considering that it comes from Sun. The Security API is not trivial and the 150 pages that cover Security API classes are not sufficient to provide the in-depth analysis needed to understand and manipulate the API. This book is a good overview of the Security API. There are some good general security discussions, and some historical perspectives on why the API is designed the way it is. I read this book after reading the O'Reilly security book which is much more thorough.

If you are new to Java, then you shouldn't buy this book.
If you are new to security, then you shouldn't buy this book.
If you prefer loads of examples instead of dense and precise explanations, then you shouldn't buy this book.
If you are looking for a pictorial guide on Java security, then you would probably have to go somewhere else as well.

However...

If you know your Java basics,
If you like completeness,
If you like preciseness,
If you want to know why the APIs look the way they do,
If you take nothing for granted,
If you want an update on latest changes,
If you like things to be drawn in a historical perspective,
If you want a book that you can pick up and read a chapter without having to go through it in a linear way,
If you are serious about security,
In that case you should now pick up your coat, and run to the nearest bookstore to buy this book.

The only thing I found odd in this book is the introduction into security, covering a discussion in general, and an overview of different types of security and access control models. The weird thing is that it introduces a lot of concepts, without actually refering to any of them in the chapters later on.

This book provides comprehensive coverage of the Java Security Architecture.

As with all good security books, this one begins with an introduction to the fundamentals of computer and network security. For those new to Java security, there is also brief intro to security of the Java language and platform. The book quickly gets into the details of the new Security Architecture, with a detailed description of what is there, why it is there and how to use it. Sections on deploying and customizing the SA are of practical use to anyone in this situation. The book also contains a concise and useful discussion of object security and how to go about getting it. There is a detailed discussion of the Java Cryptography Architecture, a must if you plan on using the cryptographic functionality. The book concludes with a thought-provoking section on future directions. This book stands out because of the insightful discussions on why design decisions were made and the implications of these decisions. This makes the book interesting reading even if you aren't going to implement the SA in the immediate future. If you are planning on implementing the SA, don't do it without this book within grabbing distance.

I'm not surprised this book has drawn so many negative reviews. This book is indeed difficult to digest but then the Java Security model itself is rich, subtle and takes time to master. The book does an admirable job of explaining the motivation behind the complete overhaul of the Java 1.1 security architecture, the Java 2 security API design nuances, the flexibility of the fine-grained access-control model in Java 2 and how the backward compatibility concerns with code written with 1.1 style security checks were addressed in the new design. The book also has an intersting chapter addressing security needs of objects in transit (RMI) and a short chapter on cryptography, which anyway is a vast subject in its own right. The key chapters to read are the 3,4 and 5, especially for people who have some background in Java 2 security.

On the negative side, I have to say, the book is inconsistent in parts - I have trouble believing that Li Gong wrote the entire book himself. It's amazing to see chapters discussing at length how you install Java 2, change your CLASSPATH on different platforms etc. while in the same book elsewhere, you see terse, packed explanations about how the classloader hierarchy works in 1.2 or how the basic access control algorithm is extended for privileged operations and some very concise but useful discussions about possible design alternatives in the core library itself. The code samples are very insightful in that they illustrate the workings of some of the core library classes itself with the new security infrastrucure and not some toy samples. However, this also makes the book an unlikely candidate for gleaning ready to use code samples from, which means, if you are looking for how to's and not whys this is probably not the book for you, you might want to consider the Oreilly book.

For people well experienced in Java and OO design, if you want to learn insights about why the security apis are designed the way they are, you might well consider giving this book multiple reads. It's well worth the effort.

In short, this is a difficult but good book. Hopefully, in subsequent editions Li Gong would work on making it better, and also include more details on interesting new additions like JAAS etc.

One of my coworkers asked me today whether I thought a Java based approach to email encryption was sensible; how could he evaluate the merits of the design? I told him the first thing I would do is get Li Gong's book "Inside Java 2 Platform Security," it is the most complete coverage of Java security available, and read it cover to cover. Then we could discuss the problem in depth.

In fact this book is a complete coverage of the java security.
It is true, that the subject is quite complex and needs concentration
to be understood perfectly. However I believe this books lacks suitable examples.
In my personal point of view, providing sufficient clear examples in a book,
will help the reader to understand better the subject.
I didn't find this important quality in this book.
If somebody wants to buy a book about Java security, this
means that he/she didn't understand completely the whole subject, just
by reading the API on Sun web site and therefore he/she is looking for
a better source of information that illustrates the subject in a more
convenient and clear way. Unfortunately this book, although complete
in the coverage of the topics, is too far a way to be considered as a clear
and easy understanding book, particularly, for those who are not already
seniors in Java security.

For someone who is trying to get a grasp of a complicated subject, this books is too difficult to read. The author's numerous citations were impressive, but again I thought got in the way of the subject. The book needs real world examples. To make matters worse, there were a number of errors, especially with the illustrations, which made it even more difficult to follow.

A work of exceptionally poor quality - an editorial disaster that is an insult to the reader. To date, the Java Series has been very impressive indeed. The otherwise outstanding team at Sun is let down very badly by this effort.

This book is certainly gives good introduction to the fundamentals of Java security. For those new to Java security, there is also brief intro to security of the Java language and platform. The coverage on Java Security APIs are bit narrow and needs lot of update on JCE, JAAS, JSSE etc.
Frankly speaking this book is a bit obsolete and now it's for the authors to come out with a new edition including Java 5 and Java 6 !