File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Book/Tutorial recommendation for Java Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Book/Tutorial recommendation for Java Security" Watch "Book/Tutorial recommendation for Java Security" New topic

Book/Tutorial recommendation for Java Security

Chan Ag

Joined: Sep 06, 2012
Posts: 1089

Does someone know of a good book/tutorial to get started with Java Security? Currently I have only a basic idea of things like SSL/Digital Signatures/Keystores/Classloaders/Security Managers/Encryption/Decryption/OAuth/OpenId etc. Basically what I know is what I had studied during my engineering course. Apart from that I have browsed a little bit on how SSL and OAuth 2.0 works. But that is all.

I feel I should invest some more time into studying these things from scratch. Also the feature I'm working on currently might need to use OAuth authentication. So knowing the basics before hand will be helpful. Also that'll help me get a more comprehensive picture of the associated stuff.

So does someone have a book recommendation?

I'm considering to buy the book "Java Security Edition 2" by Scott Oaks, but it was written in 2001. So it doesn't cover things like OpenId and OAuth 1.0 and OAuth 2.0. But I was still considering that book, cause I thought once I have a grasp on how the basic things work, other tutorials I see online will probably start making more sense. But does someone know of a better book? Is there a book/tutorial you found really helpful?

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
A subject dear to my heart. I added lots of resources I found useful to the If you work through the stuff linked under "general remarks" you should have a good overview of the Java-related stuff. Most importantly, start with the podcast by Bruce Schneier. There's little value delving into specifics before you understand how security is a process, not one or more technologies. Also, that security can't be "added" to a system later on (at least not without great cost), but needs to be an integral part of it from the beginning. And lastly, that it's important to do a risk analysis of any system, so that likely attacks and their costs (both in guarding against them, and if they're successful) are known - only then can informed decisions be made on what needs to be protected, and how.

A somewhat newer book than the one you mention is "Core Security Patterns" from 2006. At 1000 pages it's pretty comprehensive (but keep in mind its publication date), but you will probably never finish reading it. I didn't :-)

I liked Schneier's "Secrets and Lies". While it's now also dated (from 2004), it's about fundamentals, and thus more broadly applicable than technology-specific books. I recommend to start with that, and then pick up the language-specific stuff from the resources in the FAQ.
Chan Ag

Joined: Sep 06, 2012
Posts: 1089
The Security FAQ is really good -- it covers most of the topics that I need to know about. So for now, this is exactly what I need.

Once I'll know what is what with more details, I'll probably order Secrets and Lies.

Sorry I couldn't respond earlier than this but thanks a lot.

I agree. Here's the link:
subject: Book/Tutorial recommendation for Java Security
It's not a secret anymore!