<pre>
Author/s : Marco Pistoia, Larry Koved, Anthony Nadalin, Nataraj Nagaratnam
Publisher : Addison-Wesley
Category : J2EE
Review by : Lasse Koskela
Rating : 8 horseshoes</pre>
Security is a topic which often seems to be given too little thought. This book gives a hand for the
J2EE developer new to security on a
Java platform and, especially, on the J2EE platform.
The book has been split into five parts. I have gathered my thoughts about each in their separate paragraphs below.
Part I discusses about the needs of enterprise application security in general, and how these needs are associated with the J2EE components on a two or three-tier architecture, illustrated with pretty pictures of firewalls etc. The discussion is high-level in nature and acts mainly as a smooth entry into the mind-set of implementing security into your application.
Part II takes the focus inside J2EE and shows what kind of handles the J2EE architecture provides for security-related services such as authentication and authorization. Basically, this part of the book explains the programmatic and declarative security for web applications and Enterprise JavaBean components. The writing is very easy to understand but I would've liked to see one or two complete examples of a deployment descriptor instead of just small snippets. To me, seeing a full example would seem like a great way to tie things up in the context.
Part III, titled "The Foundations of Java 2 Security", is something I'm sure I'll come back to when I have to deal with J2SE security. The authors describe the whole shebang from class loaders to security managers and the horde of different types of permissions. This part also includes a chapter about the Java Authentication and Authorization Service (JAAS), which is top-notch amongst those I've seen about the subject. Clear writing combined with precise and illustrative examples. The one topic that could've deserved some concrete usage help were the command-line utilities such as keytool and jarsigner. Also,
applet security was only mentioned in passing (the
word "applet" can't even be found from the index), which may or may not be significant for the reader.
Part IV is dedicated to the art of cryptography. After presenting the basics of cryptographic algorithms, secret and public-key cryptography, the authors continue by discussing how the selected algorithms affect the confidentiality, integrity, authenticity, and non-repudiation properties of data. The chapters also discuss digital signatures, certificates, and key distribution on a high level. The rest of the fourth part shows how the JCA and JCE frameworks are built (i.e. how the pluggable implementation architecture works) and how the relevant APIs are used. The Java Secure Socket Extension (JSSE) for SSL is also presented with a couple of very nice examples including server and client authentication.
The fifth and final part talks about "advanced" topics such as web services security and some security considerations for container providers (which seems a bit out-of-place in this book). The subjects are covered only very superficially, which is understandable because the area of web services security admittedly requires a whole book to discuss in detail.
I can recommend this book as a solid source of information for J2EE security topics. Accompanied with vendor-specific documentation on deployment and configuration issues, you probably won't need anything else for your security needs. Its biggest weakness, in my opinion, is the lack of more complete sample code which could've at least been published online.
More info at Amazon.com More info at Amazon.co.uk
