J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) (Paperback)

by Art Taylor (Author), Brian Buege (Author), Randy Layman (Author) "Java security is not an afterthought; it is an integral part of the language..." (more)
Key Phrases: subj ect class, authenticated sockets, web services container, Hacking Exposed, Java Plug-in, Lester Goodwin (more...)

Editorial Reviews

Product Description
Written in the same exciting and informative style as the international blockbuster Hacking Exposed, this book provides comprehensive coverage of the tools and techniques for testing and correcting J2EE and Java security issues. Includes examples of J2EE attacks and countermeasures, risk ratings throughout the chapters and case studies.

From the Back Cover

Secure your Java and J2EE applications--from the hacker's perspective

Application security is a highly complex topic with new vulnerabilities surfacing every day. Break-ins, fraud, sabotage, and DoS attacks are on the rise, and quickly evolving Java-based technology makes safeguarding enterprise applications more challenging than ever. Hacking Exposed J2EE & Java will show you, step-by-step, how to defend against the latest attacks by understanding the hacker's methods and thought processes. You'll gain insight through examples of real-world attacks, both ordinary and sophisticated, and get valuable countermeasures to protect against them. You'll also find an in-depth case study with Java and J2EE security examples and actual working code incorporated throughout the book.

What you'll learn:

• The proven Hacking Exposed methodology to locate and patch vulnerable systems
• How to apply effective security countermeasures to applications which use the following Java enterprise technologies: Servlets and Java Server Pages (JSPs); Enterprise Java Beans (EJBs); Web Services; Applets; Java Web Start; Remote Method Invocation (RMI); Java Message Service (JMS)
• How to design a security strategy that extends throughout a multi-tiered J2EE architecture using J2SE 1.4 and J2EE 1.3
• What common, but devastating, vulnerabilities exist within many J2EE applications
• How to use the J2EE security architecture to create secure J2EE applications
• How to use the Java security APIs, including the Java Authentication and Authorization Service (JAAS), the Java Cryptography Extension (JCE), and the Java Secure Socket Extension (JSSE)
• How to create applications that proactively defend against malicious users, content manipulation, and other attacks.
• Valuable tips for hardening J2EE applications based on the authors' expertise

See all Editorial Reviews

Product Details

• Paperback: 426 pages
• Publisher: McGraw-Hill; 1st edition (September 24, 2002)
• Language: English
• ISBN-10: 0072225653
• ISBN-13: 978-0072225655
• Product Dimensions: 9.2 x 7.9 x 1 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 3.8 out of 5 stars See all reviews (5 customer reviews)
• Amazon.com Sales Rank: #855,060 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

13 of 13 people found the following review helpful:

5.0 out of 5 stars Security for advanced Java developers, November 12, 2002

By	Michiel Pelt (Netherlands) - See all my reviews

The book uses an example Java application which is intially very unsecure, and throughout the book the vulnerabilities of the example are discussed and countermeasures are written. Then the application is webenabled, creating new vulnerabilities which are fixed again, and so on. This way the complex material is covered in an easy accessible yet comprehensive way, without becoming lengthy. This book is a must have for any serious Java web developer interested in application security. Not recommended for beginners, though.

22 of 26 people found the following review helpful:

1.0 out of 5 stars Not a Hacking Exposed book at all, February 6, 2003

By	Anders Thulin (Malmo, Sweden) - See all my reviews (REAL NAME)

If this book had been titled differently, I would have had no
reason for complaint: it gives a good introduction to Java
Security, and how to deploy it in various forms.

But it *is* titled 'Hacking Exposed'. That is now taken
to be an indication of a particular approach to security,
... The blurb acknowledges it: 'The proven Hacking Exposed
methodology' is the first thing mentioned under 'What You Learn'.

And I bought this title without second thought -- I have
nothing but praise for the previous books, and expected
to find the same approach and the same quality here.

In this book you find a lot of information on prevention, but
very little on actual vulnerabilities. As a result the
message is far less urgent. If I can demonstrate a 'hack'
the message gets across very quickly: we have to do something
about it now. But if all I can do is point to a text that
says 'attackers can potentially attach a debugger to our
application and watch the code as it runs', urgency is gone.

There's another point there as well: 'our application'.
Those words probably sum up the difference from, say, 'Hacking
Exposed Web Applications'. This book is not from the point of
view of the hacker that the previous books used so well to get
their message across. This is 'we', protecting our assets from
a considerably more nebulous hacker than has appeared earlier.

The difference is the same as between an actual security
incident on one hand, and the report of a threat analysis on
the other.

In short, this is not a Hacking Exposed book. It's a Java
Security Exposed book. As such it probably merits four stars.

But ... as it is marketed as a Hacking Exposed book, and,
in my opinion, doesn't live up to the expectations that goes
with that trademark, I'm afraid I can't give any rating at all.
(1 star seems to be the lowest possible, so that is what I give it.)

I'll be very careful about purchasing the next red book
with "Hacking Exposed" all over the front cover. I just
might find that I have bought 'Hacking Exposed - ISO 17799'.

6 of 6 people found the following review helpful:

3.0 out of 5 stars Good book, with reservations, March 15, 2004

By	vaaesthete (Virginia USA) - See all my reviews

This book has some nice examples and is fairly complete, but some sections are basically a regurgitation of the java.sun web site!
In many technical books, it is common to find multiple authors, each writing a section based upon his/her expertise. Since each author has a specific writing style and personality, there is usually a person (or persons) charged with proofing and approving the sections as well as working to make the transitions seamless and consistent. This book was written by three different authors and it would appear to me that at least one of the authors turned in work that is remarkably similar to existing sources!

Here is a sample of the JCE section in HackingExposed:
"The Java Cryptography Extension (JCE) package provides a framework for encryption and decryption, key generation, key agreement, and MAC. Encryption allows symmetric, asymmetric, block, and stream ciphers, with additional support for secure streams and sealed objects."
Now here is the verbage from the java.sun.com website:
"The JavaTM Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects."

To be fair, it appears that the problems are confined to the first section of the book. The final 2/3 of the book are closer to what I expect from the Hacking Exposed series.