Professional Java Security (Programmer to Programmer) [Illustrated] [Paperback]

Jess Garms (Author), Daniel Somerfield (Author)

Book Description

Publication Date: May 2001 | Series: Programmer to Programmer

Security is of huge importance to the computing industry - the growth in e-commerce has brought the topic from the shadows of high-level specialists into the public eye. Nowadays breaches in security for B2C based e-tailers are big news, and damage not only the reputation of the individual organization, but also confidence in the industry as a whole.

Computer security covers a multitude of areas ranging from low-level operating system security to higher-level application security. This book concentrates on the latter, and will show you how to protect your applications with cryptography and the Java security model. Beginning with simple examples and clear descriptions of different cryptography approaches, such as symmetric and asymmetric encryption, the book will build in complexity, through consideration of public key infrastructure and SSL, to provide a comprehensive set of solutions for the enterprise Java developer.

Editorial Reviews

Amazon.com Review

For any developer who needs to understand and use Java's considerable built-in support for encryption and security standards, Professional Java Security delivers a capable guide to both the theoretical and practical aspects of implementing security on the Java platform. With a concise presentation that moves well and covers a wide range of topics, this book fills an extremely valuable niche for any working Java programmer.

Classic titles on encryption and cryptography (such as Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and Source Code in C) look at security from the ground up as if developers needed to write everything themselves. The good news is that with features like the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE), Java security is standard equipment with today's Java 2 platform. This book does a great job at giving a quick overview of the way today's encryption algorithms (including symmetric and asymmetric encryption, hash functions, and digital certificates) work, along with the way to apply them in Java. The authors anchor the theory here with practical explanation and code for using such encryption algorithms as Blowfish and RSA, plus using digital signatures and certificates and tapping SSL for secure communications over the Internet.

While books on cryptography usually describe protocols with anonymous players (with names like Alice, Bob, and the like), the authors here use more imagination, retelling a scene from Shakespeare's Hamlet in which King Claudius sends a message via Rosenkrantz and Guildenstern to do away with Hamlet. No, you don't need to have read the play to understand, but this scenario and its permutations highlight in a more entertaining fashion than other titles the issues in secure communications and the ways things can go wrong.

More advanced material on securing JDBC database connections, and even on how to create custom encryption algorithms and plug them into the JCE, will let the more expert reader do more. (The authors demonstrate this latter process with sample code that implements the well-known RSA encryption algorithm.) For the busy working Java developer, coverage of the basics here will let you implement security in Java without having to reinvent the proverbial wheel. Smart, concise, and extremely useful, Professional Java Security is a truly valuable resource for creating secure Java applications with features that every working Java developer will want to know about and use. --Richard Dragan

Topics covered: Overview of enterprise security issues, defining a security policy, Java security features, support for security in Java code (accessibility, serialization, sealed JAR files, and privileged code), introduction to cryptography and encryption, introduction to symmetric and asymmetric encryption, authentication, the Java Cryptography Architecture (JCA), the Java Cryptography Extension (JCE), symmetric encryption with Java (including password-based encryption, ciphers, and sealed objects), asymmetric encryption in Java (including file encryption with RSA), message digests, digital signatures, digital certificates, signing JAR files (permissions and applets), additional security in Java with servlets and EJB, the Java Authentication and Authorization Service (JAAS), using SSL in Java applications, securing JDBC database connections, case study for a secure online banking application, building a custom JCE provider (using the RSA algorithm), additional security techniques (securing e-mail, timestamping, secure logging, using a nonce), and quick reference for using MySQL with JDBC.

From the Publisher

This book is aimed at intermediate to advanced Java programmers, familiar with the concepts underpinning distributed application development such as sockets, RMI, JDBC, and J2EE technologies, however no previous experience of security or cryptography is assumed. It concentrates on teaching approaches to security, developing an understanding on building cryptography into applications and, in so doing, illustrates how the key Java cryptography components can be employed.

See all Editorial Reviews

Product Details

• Paperback: 521 pages
• Publisher: Wrox Press; 1st edition (May 2001)
• Language: English
• ISBN-10: 1861004257
• ISBN-13: 978-1861004253
• Product Dimensions: 9.1 x 7.2 x 1.1 inches
• Shipping Weight: 1.8 pounds
• Average Customer Review: 4.3 out of 5 stars  See all reviews (10 customer reviews)
• Amazon Best Sellers Rank: #897,815 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

8 of 8 people found the following review helpful:

5.0 out of 5 stars Knowlegable authors who know how to explain, February 28, 2002

By 

Marcus Green (Leeds, W Yorks England) - See all my reviews

This review is from: Professional Java Security (Programmer to Programmer) (Paperback)

The cover of this book has photos of the authors, who have the boyish good looks of candidates for a 1990's boy band. The contents of the book belie the apparent youth of the authors. They both know the topic well and how to explain it. The not only know about how Java security works now, they also know about the quirks and peculiarities of the history of Java security. They don't seem to mention it anywhere in the book, but the authors created a nicely modified version of the GPL version of the Terraterm ssh client. Having read some of the Terraterm code I admire them for even making sense of it.

Unlike many of the Wrox technical books this is not a million page, multi author, multi topic tome but 520 pages that keep strictly to the title topic. There is plenty of information on the net about Java security but it is often hard to find and not explained well. This book goes right from the basics of explaining algorithms to giving substantial code examples for creating secure tunnels to manage database connections. I have read about public and private key algorithms several times in the past but the analogies used in this book really re-inforced my understanding. They explain the ideas behind some of the different encryption algorithms by using analogies with the characters in Hamlet the Shakespearean play. They go through the various permutations of how Hamlet could send a message to the king of England using a box locked with various key combinations. The analogies get longer and more involved with each algorithm, but they worked well for me.

Chapter 10 has a long example and explanation on how to create an SSL tunnel server, whereby they JDBC calls are redirected between a client machine. The idea is that you configure your client system to refer to a database on a local machine but the SSL tunnel server intercepts these calls and transmits them over the secure connection to the machine running the database. A matching program on the remote machine then redirects the calls to the actual database. This is a very similar concept to using an ssh tunnel, but you can run both portions on any machine that has a java system. This is a little like having a Java based VPN.

In one of my jobs we used the example code as the basis for a system for synchronizing files and directories between two different machines. This was an alternative to using rsync over ssh, as it it gave us operating system portability "out of the box". If we had not had the code from this book for the key ideas it would have either taken much longer, or we probably would not have started it at all.

One thing that would be good in a revised version of this book would be a step by step guide to installing SSL in Tomcat. It is not hard, and you can find how to do it easily on the net, but many people who buy this book will want to do it.

If you are thinking of putting Java applications on the web you will want them to be secure. Knowledge is the key to security and this is the shortest best informed route that knowledge. You probably need this book.

9 of 10 people found the following review helpful:

5.0 out of 5 stars Great security book, June 16, 2001

By A Customer

This review is from: Professional Java Security (Programmer to Programmer) (Paperback)

This book starts with a great overview of security, both in theory and implementation in Java. The examples are consise and easy to follow.

The authors then show how you can apply the concepts to secure certain parts of an application, like how you can secure just about any JDBC connection to prevent the information from being sent over the network unencrypted.

Later, the authors give an example application and show one way you might secure it, giving complete source code and configuration instructions. It's nice to see how the various pieces might fit together into a real system.

As a final bonus, the authors include a JCE provider that supports the RSA cipher and show how it works. Much more useful than the XOR ciphers some other books provide.

Overall, a great book for Java developers looking to learn something about security.

7 of 8 people found the following review helpful:

5.0 out of 5 stars SUPERB!, August 13, 2001

By 

Robert R. Stevens "Izaak Szerman" (Houston, TX USA) - See all my reviews
(REAL NAME)   

This review is from: Professional Java Security (Programmer to Programmer) (Paperback)

The book 'Java Professional Security' by Garms and Somerfield is one of the best technical books that I have ever read.

Since my current project is to provide secure communications for all of our internet programs, I have spent a lot of time trying to glean information from the internet. After 3 months of this, there were several 'missing parts' for a good understanding of the subject. This book has everything that I was looking for!

In both content and presentation, the book is superb. I look forward to getting many more books from Wrox.