J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) [Paperback]

Art Taylor (Author), Brian Buege (Author), Randy Layman (Author)

Book Description

Series: Hacking Exposed | Publication Date: September 24, 2002

Written in the same exciting and informative style as the international blockbuster Hacking Exposed, this book provides comprehensive coverage of the tools and techniques for testing and correcting J2EE and Java security issues. Includes examples of J2EE attacks and countermeasures, risk ratings throughout the chapters and case studies.

Editorial Reviews

From the Back Cover

Secure your Java and J2EE applications--from the hacker's perspective

Application security is a highly complex topic with new vulnerabilities surfacing every day. Break-ins, fraud, sabotage, and DoS attacks are on the rise, and quickly evolving Java-based technology makes safeguarding enterprise applications more challenging than ever. Hacking Exposed J2EE & Java will show you, step-by-step, how to defend against the latest attacks by understanding the hacker's methods and thought processes. You'll gain insight through examples of real-world attacks, both ordinary and sophisticated, and get valuable countermeasures to protect against them. You'll also find an in-depth case study with Java and J2EE security examples and actual working code incorporated throughout the book.

What you'll learn:

• The proven Hacking Exposed methodology to locate and patch vulnerable systems
• How to apply effective security countermeasures to applications which use the following Java enterprise technologies: Servlets and Java Server Pages (JSPs); Enterprise Java Beans (EJBs); Web Services; Applets; Java Web Start; Remote Method Invocation (RMI); Java Message Service (JMS)
• How to design a security strategy that extends throughout a multi-tiered J2EE architecture using J2SE 1.4 and J2EE 1.3
• What common, but devastating, vulnerabilities exist within many J2EE applications
• How to use the J2EE security architecture to create secure J2EE applications
• How to use the Java security APIs, including the Java Authentication and Authorization Service (JAAS), the Java Cryptography Extension (JCE), and the Java Secure Socket Extension (JSSE)
• How to create applications that proactively defend against malicious users, content manipulation, and other attacks.
• Valuable tips for hardening J2EE applications based on the authors' expertise

About the Author

Art Taylor (Flemington, NJ) has a masters degree in Information Technology and over 17 years experience in the computer industry. The majority of that experience was spent developing database applications for relational databases where security of business information assets was always an important concern. He has worked with Java since its inception, authoring one of the first technical books on the JDBC API, the "JDBC Developer's Resource" for Prentice Hall and authoring several other Java books since then. He has worked on a number of Web development projects using Java and has spent the last year teaching Java courses for Sun Microsystems. He is a Sun certified Java programmer and instructor. Paul Gier (Coconut Creek, FL) has more than 7 years experience in the IT industry, focusing on Java technology and has spent the last two years teaching Java technology across the US. Paul has worked as a software engineer at a number of firms using Java and various application servers. He is a certified Java Developer and Enterprise Architect as well as a Certified Cisco Network Associate. Brian Buege (McKinney, TX) has a master's degree in Computer Science and more than 11 years experience in the computer industry. Part of that experience was spent in the field of security planning, secure system development and security training for the US Army and US Army Reserve. He has taught computer science and mathematics at the college level, managed large development projects and computer services departments and provided Java instruction for Sun Microsystems. He is a certified Java programmer and developer and a Sun certified Java instructor.

Product Details

• Paperback: 426 pages
• Publisher: McGraw-Hill; 1st edition (September 24, 2002)
• Language: English
• ISBN-10: 0072225653
• ISBN-13: 978-0072225655
• Product Dimensions: 9.3 x 7.5 x 1 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 3.3 out of 5 stars  See all reviews (6 customer reviews)
• Amazon Best Sellers Rank: #1,825,431 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

14 of 14 people found the following review helpful:

5.0 out of 5 stars Security for advanced Java developers, November 12, 2002

By 

Michiel Pelt (Netherlands) - See all my reviews

This review is from: J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) (Paperback)

The book uses an example Java application which is intially very unsecure, and throughout the book the vulnerabilities of the example are discussed and countermeasures are written. Then the application is webenabled, creating new vulnerabilities which are fixed again, and so on. This way the complex material is covered in an easy accessible yet comprehensive way, without becoming lengthy. This book is a must have for any serious Java web developer interested in application security. Not recommended for beginners, though.

6 of 6 people found the following review helpful:

3.0 out of 5 stars Good book, with reservations, March 15, 2004

By 

vaaesthete (Virginia USA) - See all my reviews

Amazon Verified Purchase

This review is from: J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) (Paperback)

This book has some nice examples and is fairly complete, but some sections are basically a regurgitation of the java.sun web site!
In many technical books, it is common to find multiple authors, each writing a section based upon his/her expertise. Since each author has a specific writing style and personality, there is usually a person (or persons) charged with proofing and approving the sections as well as working to make the transitions seamless and consistent. This book was written by three different authors and it would appear to me that at least one of the authors turned in work that is remarkably similar to existing sources!

Here is a sample of the JCE section in HackingExposed:
"The Java Cryptography Extension (JCE) package provides a framework for encryption and decryption, key generation, key agreement, and MAC. Encryption allows symmetric, asymmetric, block, and stream ciphers, with additional support for secure streams and sealed objects."
Now here is the verbage from the java.sun.com website:
"The JavaTM Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects."

To be fair, it appears that the problems are confined to the first section of the book. The final 2/3 of the book are closer to what I expect from the Hacking Exposed series.

22 of 28 people found the following review helpful:

1.0 out of 5 stars Not a Hacking Exposed book at all, February 6, 2003

By 

Anders Thulin (Malmo, Sweden) - See all my reviews
(REAL NAME)   

This review is from: J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) (Paperback)

If this book had been titled differently, I would have had no
reason for complaint: it gives a good introduction to Java
Security, and how to deploy it in various forms.

But it *is* titled 'Hacking Exposed'. That is now taken
to be an indication of a particular approach to security,
... The blurb acknowledges it: 'The proven Hacking Exposed
methodology' is the first thing mentioned under 'What You Learn'.

And I bought this title without second thought -- I have
nothing but praise for the previous books, and expected
to find the same approach and the same quality here.

In this book you find a lot of information on prevention, but
very little on actual vulnerabilities. As a result the
message is far less urgent. If I can demonstrate a 'hack'
the message gets across very quickly: we have to do something
about it now. But if all I can do is point to a text that
says 'attackers can potentially attach a debugger to our
application and watch the code as it runs', urgency is gone.

There's another point there as well: 'our application'.
Those words probably sum up the difference from, say, 'Hacking
Exposed Web Applications'. This book is not from the point of
view of the hacker that the previous books used so well to get
their message across. This is 'we', protecting our assets from
a considerably more nebulous hacker than has appeared earlier.

The difference is the same as between an actual security
incident on one hand, and the report of a threat analysis on
the other.

In short, this is not a Hacking Exposed book. It's a Java
Security Exposed book. As such it probably merits four stars.

But ... as it is marketed as a Hacking Exposed book, and,
in my opinion, doesn't live up to the expectations that goes
with that trademark, I'm afraid I can't give any rating at all.
(1 star seems to be the lowest possible, so that is what I give it.)

I'll be very careful about purchasing the next red book
with "Hacking Exposed" all over the front cover. I just
might find that I have bought 'Hacking Exposed - ISO 17799'.