J2EE Security for Servlets, EJBs, and Web Services
Author: Pankaj Kumar
Publisher: Prentice Hall PTR
In recent years, with the explosion of web-based applications and the ever-growing popularity of the Java programming language and related Java based technologies, there has been an increasing number of vendors offering middle-tier products on which developers could build and deploy applications. This major shift from two-tier client-server paradigm to n-Tier architecture brings many challenges, especially in the area of system security. To learn about how to secure your J2EE applications, read on.
About the author
Pankaj Kumar is a Software Architect at HP’s Web Services management Organization and has worked extensively in the area of middleware and security. He has presented on Java and Web services technologist events ranging from SD West and SD Forum to HP World.
Inside the book
This book is organized into three main parts. Part one is all about basic security and the Java platform. Part two introduces the readers to the basic building blocks of the Java platform’s security architecture – APIs for cryptographic operations, PKI infrastructure, access control mechanisms, Java Secure Socket Extensions, and APIs for XML. And finally, the third and final part links together the concepts introduced in part two.
The first part of the book kicks off with a look at news reports and case studies to get a feel for computer and network security problems. The first chapter ends with brief description of how to enable technologies in the fight against computer crime and how application security fits into the overall scheme of things.
What follows is an overview on the Java platform, consisting of J2SE and J2EE, with focus on security aspects.
The second part of the book starts with an explanation of cryptographic services and the Java API supporting these services. Basic cryptographic APIs (JCA and JCE) are covered. Here you learn about the secret key and PK cryptography, message digests, Message Authentication Code, and digital signature.
The following chapter discusses Java support for PKI components such as X.509 certificates, certification authorities, and certificate revocation lists.
Next, you encounter an explanation of the security model used to protect resources within JVM with a Security Manager.
We continue by going deeper into security with chapter six that explains SSL also known as transport layer security, protocol for securing exchange of information over unprotected networks at the transport level.
In last chapter in the second part of the book the author writes about message security as a means to secure messages independent of transport. XML security standards XML Signature and XML Encryption are explained.
This third part of the book starts with a discussion of the security issues in developing RMI based distributed applications. It covers the use of the security manager to limit privileges of downloaded code, SSL for transport level security and JAAS for user authentication.
If you’re interested in web application security you’ll be glad to know that chapter nine contains information about different forms of declarative and programmatic security for Servlets and JSPs. Apache Tomcat is used to illustrate example programs.
The author continues by illustrating how the EJB architecture facilitates the development of software components for assembling secure enterprise applications. BEA’s WebLogic Server is used to explore security concepts.
Chapter eleven talks about security issues surrounding the developing, deploying and invoking of Web services. Open source SOAP engine Apache is used to illustrate the APIs and the examples.
The book closes with on overall review of the subject of the book which is analyzed from a distance, identifying patterns, general principles and relations between topics.
J2EE Security is a well written book; it makes a rather difficult topic easy to understand.
If you are a java programmer, a system administrator who is in charge of managing J2EE applications, a system architect, or a project manager you will definitely enjoy reading this book. It’s worth every penny.