Enterprise Java 2 Security: Building Secure and Robust J2EE Applications

But the opening up of a company's computers to the web has a downside. It exposes the company to a broad range of attacks; far more so than the traditional glass house mainframe with the occasionaly modem dialin. So an adopter of java for enterprise computing might reasonably ask: Can java provide adequate security?

The book is devoted to answering that question. The authors expound on a slew of acronymic laden methods: JCA, JCE, PKCS, JSSE. All under the rubric of J2EE, which is the enterprise version of J2SE. It helps in many chapters to be versed in XML. The configuration files ("deployment descriptors") are all in XML. Acquaintance with the rudiments of public key cryptography wouldn't hurt either.

There is one advantage of the book which the authors modestly decline to point out. The book says that all the authors are from IBM. But it doesn't say one way in which this is a plus. A certain unnamed company in Seattle keeps murmuring that java is owned by Sun, and that should you use java, you are tying your company's future to Sun, which has had revenue problems lately.

But J2EE and J2SE and JCA (etc) are massively supported by other computer firms. IBM most prominently amongst these. In fact, IBM claims that its java effort is second only to Sun's. This book is a good statement of that.

Rating:
Summary: A good book on J2EE security
Review: I read book of JAVA 2 Network Security (2nd Edition) by "marco pistoia" three years ago and I liked it a lot. I am glad to see his new book on securify with more focus on J2EE securities.

There are five parts of this book, part I discusses needs of enterprise application security in high level, part II puts focus on J2EE and shows how to handle security for Servlets, JSP, EJB, part III describes J2SE security like ClassLoaders, JAAS, Keytool, jarsigner, JASS, etc, part IV covers cryptography in a whole, including JCA and JCE frameworks, part V is dedicated to "advanced" topics such as web services security and some security considerations for container providers.

This book puts lots of effort to explain how to use java security in enterprise applications, I think it's very helpful to understand the java securities.

I appreciated its effort on the J2EE security and "advanced" topics on web services and some considerations for container providers, which are not easy to find in other resources.

The only weakness of this book is the lack of complete examples. I hope it will be provided at least online. I think one may need some other resources with more examples when using this book.

Rating:
Summary: Misleading title, Shallow and disorganized book
Review: If you are an architect who really serious about building security to your J2EE applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter from Sun J2EE tutorial beyond that nothing more. More importantly this book is completely disorganized...meaning that this book discusses on J2EE component security on chapters 3,4,5 and the basic Java platform security on chapters 7, 8, 9. It looks like the author discussing about the security foundation after constructing the components...sounds funny. To the most disappointment, there is no chapter to show how to put-to-gether all these APIs in a real world J2EE application (as they claim in the title). Why should I read the book if it is repeating the API examples from the Java site. The chapter on Web services security is a Joke, shows the authors lack of understanding on Web services security fundamentals.
This book is nothing but a theoretical junk with no proof. After browsing all the pages, I don't find anything which show how to build a working security architecture. The word security is abused and does'nt make sense for this title.

Rating:
Summary: General Java security volume
Review: If you are new to Java security, you will definitely benefit from reading this book; you may even enjoy it. Other reviewers have described the book's content quite well, so I will not do this again. I just want to mention that the book is written well and provides a solid explanation of security issues, patterns, and solutions.

As one of the reviewers noted below, the title of the book is misleading: "enterprise Java" has a reserved meaning that implies J2EE -specific technologies; the authors paid much more attention to Java security in general, than specifically to security usage under J2EE. While a drawback, the dissonance between the title and the content does not diminish the quality and value of the writing.

I disagree with another reviewer regarding "theoretical junk". Some people need to understand and validate their understanding by delving deeper into reasoning, while others can't wait to crank out the code without any respect for the necessity of using this or that solution. There are architects and there are coders, and respectfully all sorts of books addressing different approaches to utilizing technologies. For example, for a more detailed exploration of J2EE security usage check out "J2EE Security for Servlets, EJBs, and Web Services" by Pankaj Kumar: it has plenty of detailed instructions and code examples.

Rating:
Summary: Bird's Eye View on J2EE Security
Review: If you know nothing about Java Security, this book will be a good book for you to fly over the air and see what's inside J2EE security. It basically covers Java security architecture, EJB and web Application security, plus an overview on PKCS and S/MIME and Web Services security.

If you have known about JCA, JCE, JAAS, JSSE, you have known half of the book's content. If you have developed EJB and Web applications, you have known another quarter of this book.

Rating:
Summary: Solid J2EE security reference
Review: One of the major benefits of J2EE is its security functionality. But most books about J2EE have not given enough depth to its security features.

Enterprise Java 2 Security: Building Secure and Robust J2EE Applications gives J2EE software developers a great reference to use in building secure Java applications.

Chapters 1 and 2 provide a methodical overview of the underlying Java technology and the security functionality. The rest of the chapters provide a comprehensive synopsis of all of the J2EE security features including JCA, JSE, SSL hooks, JSSE and more.

The books strong point is that it covers all of the core security features and provides excellent sample code.

The only drawback to the book is that it is light on real-world examples of J2EE security. It is heavy on the `about' aspect, but light on the `how' side of things. It would have also been helpful if there would be an accompanying web site where code samples could have been provided.

Overall, Enterprise Java 2 Security: Building Secure and Robust J2EE Applications is a solid reference for all of the major J2EE security topics.

Rating:
Summary: A solid resource
Review: Security is a topic which often seems to be given too little thought. This book gives a hand for the J2EE developer new to security on a Java platform and, especially, on the J2EE platform.

The book has been split into five parts. I have gathered my thoughts about each in their separate paragraphs below.

Part I discusses about the needs of enterprise application security in general, and how these needs are associated with the J2EE components on a two or three-tier architecture, illustrated with pretty pictures of firewalls etc. The discussion is high-level in nature and acts mainly as a smooth entry into the mind-set of implementing security into your application.

Part II takes the focus inside J2EE and shows what kind of handles the J2EE architecture provides for security-related services such as authentication and authorization. Basically, this part of the book explains the programmatic and declarative security for web applications and Enterprise JavaBean components. The writing is very easy to understand but I would've liked to see one or two complete examples of a deployment descriptor instead of just small snippets. To me, seeing a full example would seem like a great way to tie things up in the context.

Part III, titled "The Foundations of Java 2 Security", is something I'm sure I'll come back to when I have to deal with J2SE security. The authors describe the whole shebang from class loaders to security managers and the horde of different types of permissions. This part also includes a chapter about the Java Authentication and Authorization Service (JAAS), which is top-notch amongst those I've seen about the subject. Clear writing combined with precise and illustrative examples. The one topic that could've deserved some concrete usage help were the command-line utilities such as keytool and jarsigner. Also, applet security was only mentioned in passing (the word "applet" can't even be found from the index), which may or may not be significant for the reader.

Part IV is dedicated to the art of cryptography. After presenting the basics of cryptographic algorithms, secret and public-key cryptography, the authors continue by discussing how the selected algorithms affect the confidentiality, integrity, authenticity, and non-repudiation properties of data. The chapters also discuss digital signatures, certificates, and key distribution on a high level. The rest of the fourth part shows how the JCA and JCE frameworks are built (i.e. how the pluggable implementation architecture works) and how the relevant APIs are used. The Java Secure Socket Extension (JSSE) for SSL is also presented with a couple of very nice examples including server and client authentication.

The fifth and final part talks about "advanced" topics such as web services security and some security considerations for container providers (which seems a bit out-of-place in this book). The subjects are covered only very superficially, which is understandable because the area of web services security admittedly requires a whole book to discuss in detail.

I can recommend this book as a solid source of information for J2EE security topics. Accompanied with vendor-specific documentation on deployment and configuration issues, you probably won't need anything else for your security needs. Its biggest weakness, in my opinion, is the lack of more complete sample code which could've at least been published online.

Rating:
Summary: Good overall coverage of the subject matter
Review: Target Audience
Developers and architects who are looking for an overview of Java security

Contents
This book is a wide-ranging coverage of security technology in J2EE and J2SE environments.

The book is divided into six parts:

Part I - Enterprise Security And Java - An Overview Of Java Technology And Security; Enterprise Network Security And Java Technology
Part II - Enterprise Java Components Security - Enterprise Java Security Fundamentals; Servlet And JSP Security; EJB Security; Enterprise Java Security Deployment Scenarios
Part III - The Foundations Of Java 2 Security - J2SE Security Fundamentals; The Java 2 Permission Model; Authentication And Authorization With JAAS
Part IV - Enterprise Java And Cryptography - The Theory Of Cryptography; The Java 2 Platform And Cryptography; PKCS And S/MIME In J2EE; The SSL and TSL Protocols In A J2EE Environment
Part V - Advanced Topics - Enterprise Security For Web Services; Security Considerations For Container Providers; Epilogue
Part VI - Appendixes - Security Of Distributed Object Architectures; X.509 Digital Certificates; Technical Acronyms Used In This Book; Sources Used In This Book

Review
Once you get past the Hello World applets and JSP pages, you will start developing applications that interact with the user and display dynamic content. And once that happens, you need to know who is asking for the data and whether they should be allowed to see it. You need to start understanding how security works in the Java world. And Enterprise Java Security is a good place to start gaining that knowledge.

The authors cover a lot of different concepts and technologies in this book. While nearly any of the subjects (like cryptography or web services security) could be expanded into a book in its own right, enough information is provided to give you the concepts necessary to grasp the essentials. From there, you can continue in your learning for the areas that apply to your situation. As I continue on in my Java education, I'll be able to use this book to come up to speed more quickly than I would be able to if I had to find the resources in multiple other places.

Code junkies may be a little frustrated with the book, in that there's more concept than code. While there are coding examples, you'll see less than you may be used to (or may want). I view it this way... I'd use this book to get an overview of Java cryptography. Once I understood the fundamentals, I'd seek out a book that dealt specifically with that subject to take me beyond the basics. But by understanding "what I don't know" first, I'll be better prepared to get the most out of more advanced texts with plenty of code included.

Conclusion
A good selection for Java developers and architects who need a comprehensive overview and understanding of security for Java-based systems and environments. From here, you can delve more deeply into the specific areas that apply to your project or environment.

Rating:
Summary: The BEST book on Java/J2EE security
Review: The book starts off with an overview of Java and security landscape with quick introductions to things like Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE), Java Authentication and Authorization Service (JAAS), Java Secure Socket Extension (JSSE) and PKI. This chapter does a great job of introducing all of the security features in the Java platform and how they fit in the standard application development framework. There is a really nice picture on page 9 that sums up all of the security providers, services and components and how they fit together in J2SE and J2EE. After the introduction, the book moves into a discussion about firewall and some network architecture discussion.

The second section (Chapter 3) of the book deals with J2EE security model. This section starts with a quick intro the J2EE components before moving into a discussion of the J2EE security roles and authorization model. After a quick example of using declarative security with EJB's, the authors then discuss authentication in the realm of HTTP and web applications with a quick intro to basic, form and certificate based authentication. The authors recommend the use of declarative security over programmatic security as a best-practice. I have to agree with that assessment and recommendation completely. But there are instances where declarative security is not possible and you have to resort to programmatic security. The chapter shows some simple code example to validate security role of a user in an EJB, and fetching user information in a web application.

The next section of the book deals with JavaServer Pages (JSP) and Servlet security. The section starts with a quick intro of Servlets, Servlet life cycle, before moving into the authentication section. At first, the simple HTTP authentication mechanism is explained with a nice breakdown of the HTTP status code sent from the server to the browser along with a description of how the username and password are encoded on the client side. I really like the way this section was written as it didn't leave any ambiguity in how the process works. After basic authentication, we move on to Form-based authentication which is explained very simply along with the appropriate snippet that belongs in your web.xml file. Once again, the explanation and graphic does a great job of breaking down the authentication process down to the http communication between the browser and server. This section also briefly describes certificate-based authentication and single sing-on.

After authentication, the section moves on the authorization or the roles part of the puzzle. In reading this section, I learned something new and really interesting. There is discussion of the RequestDispatcher object that allows you to use the forward() or include() method to create an invocation chain. In that scenario, the web container only authorizes the first invocation and not every forward or include that are part of the process. There is also discussion about how to use security-constraints to protect a single page, URL, or URL pattern. After declarative security, the chapter moves to programmatic security with discussion of the javax.security.Principal object, role reference and mapping in web.xml. The chapter then moves on to discuss some usage pattern and best practices on how to use cookies, SSL and HttpSession. I was pleasantly surprised to a see a simple Servlet Filter example to restrict a set of users from any application. The next section of the book covers EJB security starting with a quick intro to EJBs and the moves into EJB security and method authorization.

The next section of the book deal with J2SE security. This section starts with the class loader and how the default class loader and the whole delegation process works. I really liked the section on class loading process, the delegation hierarchy, bytecode verifier, security manager and privileged code. In fact, I really liked this chapter and re-read it several times. The section on the SecurityManager is very comprehensive and probably the best explanation I've read about the topic. The next chapter breaks down the Java permission model in great detail including the Java security policy. Most people that use the -D parameter to specify the java.security.manager and java.security.policy don't really understand the details behind those command line parameters really need to read this chapter.

The next chapter describes the Java Authentication and Authorization Service (JAAS) in great detail. This chapter is full of example code that walks you through the JAAS framework. I really like the treatment given to JAAS as it very comprehensive and very well written. This is also one of those chapters I re-read several times. I've been using JAAS for almost 2 years now and I still found this to be very educational and the included Java code made concepts very easy to understand and follow.

After JAAS, the book moves on to Cryptography and its role in terms of Enterprise security. This three chapter section starts off with the theory of cryptography and then describes JCA and JCE framework in great details. This was not of great interest to me personally and so I skimmed most of this section. After JCA/JCE, the book moves on to public-key cryptography and S/MIME.

The next chapter focuses on Secure Socket Layer (SSL) or Transport Layer Security (TLS). I love the section on the SSL handshake as it simplifies and explain this very complex interaction. This section also has a lot of Java code that helps illustrate some of the complex concepts including using and creating the keystore and using client authentication with certificate.

The next chapter discusses security for Web Services and discusses topics such as XML Signature, Security Services Markup Language (SAML) and WS-Security. After Web Services, the book discusses security consideration that must be taken into account by container providers.

In conclusion, this is the best book I have ever read dealing with the topic of security. This is also the best Java security book and is a very comprehensive guide to anyone working with Java. This book belongs in every developer's bookcase and he/she really needs to understand these concepts. If you are looking for a book that overwhelms you with code, this is not it. Instead this is a great tutorial book that uses Java code where appropriate but relies on great writing and explanation of the security framework and components. I highly recommend this book and I know this is going to be handy reference for me.