Rating: 
Summary: A must for security novice wanting to use J2EE securely
Review: A book on J2EE security and cryptography, so easy to read it is almost unbelievable. And yet, it does full justice to the subject and provides both a broad overview as well as details good for any security novice to get going with J2EE security in a short time. If you wanted to learn or use J2EE security without going to a formal training class, this is the right book for you.
Rating: 
Summary: Waste of money
Review: Be careful when you buy this book. The book has no concrete focus on J2EE or J2SE of any sort and it is pretty much INCOMPLETE. Unless you already have pretty good knowledge about Security concepts, you won't be able to understand them. The content is messy and it confuses the reader. The worst part is 75% of the book is not specific to J2EE or J2EE components. The authors tries out HELLO WORLD kind of examples using a Microsoft environment. That shows author's track record of security.
Rating: 
Summary: Good Concepts and Broad Coverage of Security Concepts
Review: First the things that I really liked about the book
- Provides a very good overview along with some fabulous code samples. I am not beginner with Java ..but having code samples often make the task of putting theory to practise a lot easier.
- Really liked the way the author tackles different aspects of Security technology like basic cryptography PKI with Java,SSL Some wishlists
- Issues surrounding Single Sign On would have been very useful.
- Some design related aspects on how to build in security with at the application design stage apart from focussing on the APIS only..which is also helpful. Overall, I would recommend this book for developers looking to get a good understanding of security concepts. This book is more suited for beginner to intermediate java developers. This is really a good book if you are looking to learn about security and then hit the ground running.
Rating:
Summary: Disappointing !
Review: I am not new to J2EE, but I purchased this book for understanding J2EE security based on the good reviews it has received. I was quite disappointed in this book, which is both repetitive, drawn-out and shallow in its coverage of J2EE as a whole. Although the book covers the basics but it missing the real world complexities such as Single sign-on, JAAS Authentication and Authorisation in J2EE, Integration tier security etc. The book is completely lost in Web services security as it considers only SOAP-RPC security, repeating the similar examples from Axis and Verisign. BTW, This book only covers obsolete versions of Axis, Weblogic and Verisign. As a result almost nothing is covered in great detail, and the ages ultimately provide a dreary drawn-out overview of J2EE security which I find better elsewhere. Now the book stays on the shelf collecting dust, while I google around the Internet for answers.
Rating:
Summary: A good read
Review: I had the opportunity to read this book in manuscript form and it is a good read. The examples are great. Many authors (publishers?) go for weight and size rather than content. While this book probably won't fit in your pocket, it manages to avoid that size/weight trap by providing just good content and examples. If I didn't already have this book, I'd buy it. There are good overviews of available standards, and enough information on each part of the security puzzle to educate the reader enough to implement solutions. If you're in the security area and program in Java there is no reason not to own this book.
Rating:
Summary: A must have reference for J2EE programmers...
Review: I liked many things about this book:
The emphasis on bigger picture and still going deep into topics that Java developers care about; discussion around performance implications, utility programs, great examples, availability of complete source code etc. I also liked discussion around some of the security topics that are usually glossed over. One example that really stands out in this regard is the security aspects of RMI based enterprise applications. Did you know how to use JAAS based login for authentication by an RMI server or how to setup policy file based access control of RMI operations? Or what to do for RMI invocations over SSL? Or why you are better off using EJBs than plain RMI to build a secure application? You will find the answers in the RMI Security chapter. And also answer to many more questions around applications that use Web Applications, EJBs and Web Services. The other thing I really liked was the source code and the tools covered in the book and available from the book's website. You can actually setup a poor man's Certificate Authority using these tools and issue signed certificates. In one of the chapters, there are steps explaining how to convert the signed certificate and the private key stored in a Java keystore into a PKCS12 file and import that in Internet Explorer for certificate based client authentication. This is something I always wanted to do! Too bad that I cannot produce the URL of book's website (Amazon.com rules do not permit URLs in reviews). It is worth a visit even if you don't buy the book. Hopefully, you can find it with a little help from Google.
Rating: 
Summary: Shallow on J2EE security !
Review: I was quite disappointed in this book, which is both drawn-out and shallow in its coverage of j2ee and web services. With 425 pages (11 chapters), the book only talks about J2EE component security in 2 chapters (Chapter 9 and 10) and stops at high-level with spending pages on configuring tomcat and weblogic 7. The author comfortably skipped discussing content over complex issues and finally completely forgot about illustrating real-world security issues and measures.
Although the book covers some very basic aspects of Java security, ultimately it provides a dreary drawn-out overview of j2ee security which is better found more in google and elsewhere.
Rating:
Summary: Nicely Up To Date on a Vital Issue
Review: If J2EE containers are to be used for commercial web applications, then a built in means of securely encrypting and decrypting traffic is essential. Such a thing should be independent of any specific crypto algorithm, since new ones come into being, and sometimes existing ones are found to be inadequate. We should also be able to handle symmetric and public/private key systems. Ideally, such capabilities would be as intrinsic to J2EE as, say, Exception handling is to standard java. Well, is this so? Kumar shows in this book that for the most part, this is indeed so. Numerous code examples covering many aspects like https, Enterprise Java Beans and certificates. He points out one shortcoming; namely that RMI usage is not inherently secure. This was a legacy of when java got started and before it moved into enterprise applications. Still, he does show examples of how to add in security to RMI, though it may not be totally fullproof. In any event, today's J2EE applications have RMI relatively superceded, and the book's attention reflects this. As a quick note, Kumar describes a 'person-in-the-middle' attack. There is an important, insidious mutation of this, popularly known as 'Phishing'. He never uses this term or explains this variant. Pity, given its multiple recent incarnations (the emails purporting to be from Paypal, eBay, BestBuy...) in mass mailings to millions, and the subsequent broad publicity in the mainstream media.
Rating:
Summary: The Best Java Security Book on the market!
Review: In my opinion, this book is the best Java Security book that is available today. I personally own Java Cryptography (Oreilly), Professional Java Security (Wrox), and Java Security (Oreilly) - and this book blows them all away. The author has created a free security toolkit that is very handy for real world applications. If you need to add any type of security feature to a J2EE application, then this is the book to buy.
Rating:
Summary: Solved my problems
Review: It was my struggle with keystore formats, certificates, cert-chains, private keys, CSRs, CRLs, Java system properties and other such stuff that prompted me to buy this book and I must say that I got more than what I paid for. The JSTK (JSTK stands for Java Security ToolKit, the software downloadable from book's website -- You will have to get the book to get the URL, though) alone is worth the price of the book. With this, I could list all the CSPs installed and configured within my JRE, algorithms supported by them and can even issue signed certificates -- not to mention about all other cool things, such as signing and encrypting files, sending data over SSL and making performance observations etc., I can experiment with without writing a single line of code. The first few chapters appear to be introductory and could be turn-off if your interest is only in pure J2EE stuff such as RMI, web apps, EJBs, Web services and EISs. However, as I went through the later chapters, it dawned upon me that I would never have followed these concepts and examples without the background stuff in the earlier chapters that talked about cryptographic APIs, SSL, policy based access control, XML-Encryption and XML-Signature. Perhaps this is the reason the author chose to leave out certain other security topics related but non-critical to J2EE: applets, byte code, Java web start, guarded objects and so on. The emphasis on performance measurement is again something that appealed to me. A lot of times we decide not to incorporate security stuff because we are afraid of the runtime performance overhead. It certainly helps to know the amount of overhead and how to measure this within a given environment. At the end, I am glad that I bought this book. It may not have everything I may need to know but it does have a lot of good stuff.
| 
