Enterprise Java Security: Building Secure J2EE Applications by Marco Pistoia et al
Book Review Team
Joined: Feb 15, 2002
<pre>Author/s : Marco Pistoia, Larry Koved, Anthony Nadalin, Nataraj Nagaratnam Publisher : Addison-Wesley Category :J2EE Review by : Lasse Koskela Rating : 8 horseshoes</pre> Security is a topic which often seems to be given too little thought. This book gives a hand for the J2EE developer new to security on a Java platform and, especially, on the J2EE platform. The book has been split into five parts. I have gathered my thoughts about each in their separate paragraphs below. Part I discusses about the needs of enterprise application security in general, and how these needs are associated with the J2EE components on a two or three-tier architecture, illustrated with pretty pictures of firewalls etc. The discussion is high-level in nature and acts mainly as a smooth entry into the mind-set of implementing security into your application. Part II takes the focus inside J2EE and shows what kind of handles the J2EE architecture provides for security-related services such as authentication and authorization. Basically, this part of the book explains the programmatic and declarative security for web applications and Enterprise JavaBean components. The writing is very easy to understand but I would've liked to see one or two complete examples of a deployment descriptor instead of just small snippets. To me, seeing a full example would seem like a great way to tie things up in the context. Part III, titled "The Foundations of Java 2 Security", is something I'm sure I'll come back to when I have to deal with J2SE security. The authors describe the whole shebang from class loaders to security managers and the horde of different types of permissions. This part also includes a chapter about the Java Authentication and Authorization Service (JAAS), which is top-notch amongst those I've seen about the subject. Clear writing combined with precise and illustrative examples. The one topic that could've deserved some concrete usage help were the command-line utilities such as keytool and jarsigner. Also, applet security was only mentioned in passing (the word "applet" can't even be found from the index), which may or may not be significant for the reader. Part IV is dedicated to the art of cryptography. After presenting the basics of cryptographic algorithms, secret and public-key cryptography, the authors continue by discussing how the selected algorithms affect the confidentiality, integrity, authenticity, and non-repudiation properties of data. The chapters also discuss digital signatures, certificates, and key distribution on a high level. The rest of the fourth part shows how the JCA and JCE frameworks are built (i.e. how the pluggable implementation architecture works) and how the relevant APIs are used. The Java Secure Socket Extension (JSSE) for SSL is also presented with a couple of very nice examples including server and client authentication. The fifth and final part talks about "advanced" topics such as web services security and some security considerations for container providers (which seems a bit out-of-place in this book). The subjects are covered only very superficially, which is understandable because the area of web services security admittedly requires a whole book to discuss in detail. I can recommend this book as a solid source of information for J2EE security topics. Accompanied with vendor-specific documentation on deployment and configuration issues, you probably won't need anything else for your security needs. Its biggest weakness, in my opinion, is the lack of more complete sample code which could've at least been published online.
<pre>Author/s : Marco Pistoia, Nataraj Nagaratnam, Larry Koved, Anthony Nadalin Publisher : Addison-Wesley Pub Co Category :J2EE Review by : Thomas Paul Rating : 6 horseshoes</pre> This book is a nice, general, "white paper" type overview of security in Java. The authors demonstrate a good, solid understanding of J2EE security. However, they don't provide enough in the way of actual implementation examples. I feel this is a major shortcoming of the book. The book starts with a general overview of security and then moves on to using applets with RMI through a firewall. The next section deals with Servlets, JSP, and EJB security and shows us some deployment descriptors and a few code samples but not enough to get a firm grasp on how to implement security. Part 3 discusses the basics of Java security. Part 4 discusses cryptography. The final part discusses advanced topics including a way too brief chapter on web services. In general the book spends too much space discussing security topics and not nearly enough space demonstrating how to use the information provided. The book tends to be too technical in ways that are generally not interesting to Java developers. For example, does a developer really need this: "One straightforward application of the one-way function to DH is to have two entities to publicly agree on a point P on an elliptic curve E over a finite field, where p is a very large prime number." I think this book may be very useful in combination with another book that is much more example driven, "J2EE Security for Servlets, EJBs, and Web Services" by Pankaj Kumar.