In what ways does your book cover existing security management solutions such as those available from the server publishers such as WebSphere/WebLogic? Does your book recommend an existing solution in particular, or would you recommend a built-from-the-ground-up solution for companies looking to add security features to their existing J2EE application?
While it is a book of patterns, I'm curious how applicable the book is for those looking to take an existing J2EE application and existing security solution and integrate them.
Our book is fairly generic and strives not to address vendor specific solutions. The whole point of Java and J2EE is to provide a vendor-independent way to build applications. Many vendors, IBM specifically, have proprietary security solutions that you may leverage. The problem is that your application then becomes tied to that vendor. In the real world, I realize most often applications are never ported from one vendor to another. It may make sense to leverage vendor specific security functionality.
I do see however, that most developers move around a lot and end up working with many different vendor implementations. Therefore, it may make more sense for you as a developer, to learn and use vendor-independent techniques such as those prescribed in the book. In either case, many of the patterns address problems that are not solved by any vendor implementations and must be implemented in the application. You, as the developer, should be aware of what patterns to use and when to use them.
To facilitate security for existing J2EE applications as (an add-on or refactoring) the implementation strategies described as part of the patterns would able to help a lot. This applies well to all J2EE compliant vendor solutions.
Are there any chapters that discuss or comment about proprietary solutions? I share your view that J2EE should be vendor independent, but I've been in situations where I had to use vendor solutions and I'm curious how they fit into the mold or if they are so different, that they don't fit anywhere at all.
Originally posted by Scott Selikoff: Are there any chapters that discuss or comment about proprietary solutions? I share your view that J2EE should be vendor independent, but I've been in situations where I had to use vendor solutions and I'm curious how they fit into the mold or if they are so different, that they don't fit anywhere at all.
We carefully avoided not to discuss about non-standard or proprietary vendor solution. In some cases to illustrate examples (for Web services, Identity Management and Service provisioning), we discussed security patterns using popular open-source Java frameworks such as Apache Struts, Spring, Axis, OpenSAML and OpenSPML.