“For a long time, there has been a need for a J2EE™ security book. I am very happy to see there is now a book that can answer many of the technical questions that developers, managers, and researchers have about such a critical topic. I am sure that this book will contribute greatly to the success of the J2EE platform and e-business.”

—From the Foreword by Steven A. Mills, Senior Vice President and Group Executive, Software Group, IBM Corporation

Enterprise Java™ Security: Building Secure J2EE™ Applications provides application developers and programmers with the know-how they need to utilize the latest Java security technologies in building secure enterprise infrastructures. Written by the leading Java security experts at IBM, this comprehensive guide covers the current status of the Java™ 2 Platform, Enterprise Edition (J2EE), and Java™ 2 Platform, Standard Edition (J2SE™), security architectures and offers practical solutions and usage patterns to address the challenges of Java security.

To aid developers who need to build secure J2EE applications, Enterprise Java™ Security covers at length the J2EE security technologies, including the security aspects of servlets, JavaServer Pages(TM) (JSP™), and Enterprise JavaBeans™ (EJB™)—technologies that are at the core of the J2EE architecture. In addition, the book covers Web Services security.

Examples and sample code are provided throughout the book to give readers a solid understanding of the underlying technology.

The relationship between Java and cryptographic technologies is covered in great detail, including:

• Java Cryptography Architecture (JCA)
• Java Cryptography Extension (JCE)
• Public-Key Cryptography Standards (PKCS)
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Java Secure Socket Extension (JSSE)

0321118898B01122004

About The Author


Marco Pistoia is a Research Staff Member in the Java and Web Services Security department at the IBM T. J. Watson Research Center in Yorktown Heights, New York. He has written ten books and several conference papers and journal articles, and has also presented worldwide on all areas of Java and e-business security. Most recently, he was the lead author of the book Java 2 Network Security, Second Edition (Prentice Hall, 1999).

Nataraj Nagaratnam is a Senior Technical Staff Member and the lead security architect for IBM’s WebSphere software family in Raleigh, North Carolina. He has coauthored the Web Services security specifications and actively participates in the Java community process on the topics related to J2EE security. He was the lead author of one of the first books on Java networking, Java Networking and AWT API SuperBible (Waite Group Press, 1996).

Larry Koved is a Research Staff Member and the manager of the Java and Web Services Security department at the IBM T. J. Watson Research Center in Yorktown Heights, New York. He was actively involved in the design of JAAS and the EJB V1.1 security architecture, has published over twenty-five articles and technical reports, and has presented at conferences worldwide.

Anthony Nadalin is a Senior Technical Staff Member and IBM Software Group’s lead security architect for Java and Web Services in Austin, Texas. He is responsible for security infrastructure design and development across IBM, Tivoli, and Lotus. He has authored and coauthored over thirty technical journal and conference articles, as well as the book Java and Internet Security (iUniverse.com, 2000).

0321118898AB01122004

Customer Reviews & Comments
The book starts off with an overview of Java and security landscape with quick introductions to things like Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE), Java Authentication and Authorization Service (JAAS), Java Secure Socket Extension (JSSE) and PKI. This chapter does a great job of introducing all of the security features in the Java platform and how they fit in the standard application development framework. There is a really nice picture on page 9 that sums up all of the security providers, services and components and how they fit together in J2SE and J2EE. After the introduction, the book moves into a discussion about firewall and some network architecture discussion. The second section (Chapter 3) of the book deals with J2EE security model. This section starts with a quick intro the J2EE components before moving into a discussion of the J2EE security roles and authorization model. After a quick example of using declarative security with EJB's, the authors then discuss authentication in the realm of HTTP and web applications with a quick intro to basic, form and certificate based authentication. The authors recommend the use of declarative security over programmatic security as a best-practice. I have to agree with that assessment and recommendation completely. But there are instances where declarative security is not possible and you have to resort to programmatic security. The chapter shows some simple code example to validate security role of a user in an EJB, and fetching user information in a web application. The next section of the book deals with JavaServer Pages (JSP) and Servlet security. The section starts with a quick intro of Servlets, Servlet life cycle, before moving into the authentication section. At first, the simple HTTP authentication mechanism is explained with a nice breakdown of the HTTP status code sent from the server to the browser along with a description of how the username and password are encoded on the client side. I really like the way this section was written as it didn't leave any ambiguity in how the process works. After basic authentication, we move on to Form-based authentication which is explained very simply along with the appropriate snippet that belongs in your web.xml file. Once again, the explanation and graphic does a great job of breaking down the authentication process down to the http communication between the browser and server. This section also briefly describes certificate-based authentication and single sing-on. After authentication, the section moves on the authorization or the roles part of the puzzle. In reading this section, I learned something new and really interesting. There is discussion of the RequestDispatcher object that allows you to use the forward() or include() method to create an invocation chain. In that scenario, the web container only authorizes the first invocation and not every forward or include that are part of the process. There is also discussion about how to use security-constraints to protect a single page, URL, or URL pattern. After declarative security, the chapter moves to programmatic security with discussion of the javax.security.Principal object, role reference and mapping in web.xml. The chapter then moves on to discuss some usage pattern and best practices on how to use cookies, SSL and HttpSession. I was pleasantly surprised to a see a simple Servlet Filter example to restrict a set of users from any application. The next section of the book covers EJB security starting with a quick intro to EJBs and the moves into EJB security and method authorization. The next section of the book deal with J2SE security. This section starts with the class loader and how the default class loader and the whole delegation process works. I really liked the section on class loading process, the delegation hierarchy, bytecode verifier, security manager and privileged code. In fact, I really liked this chapter and re-read it several times. The section on the SecurityManager is very comprehensive and probably the best explanation I've read about the topic. The next chapter breaks down the Java permission model in great detail including the Java security policy. Most people that use the -D parameter to specify the java.security.manager and java.security.policy don't really understand the details behind those command line parameters really need to read this chapter. The next chapter describes the Java Authentication and Authorization Service (JAAS) in great detail. This chapter is full of example code that walks you through the JAAS framework. I really like the treatment given to JAAS as it very comprehensive and very well written. This is also one of those chapters I re-read several times. I've been using JAAS for almost 2 years now and I still found this to be very educational and the included Java code made concepts very easy to understand and follow. After JAAS, the book moves on to Cryptography and its role in terms of Enterprise security. This three chapter section starts off with the theory of cryptography and then describes JCA and JCE framework in great details. This was not of great interest to me personally and so I skimmed most of this section. After JCA/JCE, the book moves on to public-key cryptography and S/MIME. The next chapter focuses on Secure Socket Layer (SSL) or Transport Layer Security (TLS). I love the section on the SSL handshake as it simplifies and explain this very complex interaction. This section also has a lot of Java code that helps illustrate some of the complex concepts including using and creating the keystore and using client authentication with certificate. The next chapter discusses security for Web Services and discusses topics such as XML Signature, Security Services Markup Language (SAML) and WS-Security. After Web Services, the book discusses security consideration that must be taken into account by container providers. In conclusion, this is the best book I have ever read dealing with the topic of security. This is also the best Java security book and is a very comprehensive guide to anyone working with Java. This book belongs in every developer's bookcase and he/she really needs to understand these concepts. If you are looking for a book that overwhelms you with code, this is not it. Instead this is a great tutorial book that uses Java code where appropriate but relies on great writing and explanation of the security framework and components. I highly recommend this book and I know this is going to be handy reference for me.

Back To Top