Book123

    Free register and download UseNet downloader, then you can FREE Download from UseNet.

    Download without Limit " Web/HTML/CSS/Ajax J2EE Security for Servlets EJBs and Web Services Applying Theory and Standards to Practice " from UseNet for FREE!

Preface A few years ago, before J2EE (Java 2 Platform, Enterprise Edition) became such a dominant platform for building enterprise systems and long before Web services became central to the IT1 strategy of every small and big company, I was tasked with helping a small company use one of our products more effectively. This company, which must remain unnamed for reasons of privacy and professional conduct, was setting up an infrastructure for creation of a dynamic and collaborative community of businesses so that their people and systems could exchange digital content and information over the Internet in the most appropriate, secure and timely manner. Our sales and marketing department did a good job in convincing them that our soon to be released product, let us call it ProdX, was built to satisfy exactly the same requirements. After numerous technical meetings and the promise of premium customer status, free technical support, training and unrestricted access to the development team, they agreed to use ProdX. ProdX was built and promoted as a Java-based middleware product suite with a strong and unique security architecture for allowing companies to do business over the Internet. However, few people outside the security development team, a sub-team of the overall ProdX development group, understood this architecture well and even fewer knew how to use its APIs effectively or how to set it up for data left operations. Developers, managers and operations staff of the customer company had numerous meetings, conference calls and e-mail exchanges, either through me or directly with the security development team. And still, they did not feel comfortable. At that time, security wasn't the focus of my primary job and I must confess that I was also having difficulty in comprehending certain aspects of ProdX in the context of its use. Watching these interactions, it became obvious to me that the security team had a sound cryptographic background and were deeply involved in developing state of the art security theory and standards, but had little appreciation of the fact that our customers were more interested in having their developers know what APIs to use, how, when and where to use them and having their operations people know how to work out step-by-step processes and procedures for routine and emergency operations. Eventually, they did get what they wanted and were able to go live with ProdX. However, we all felt that the whole thing took a lot more time and attention than required. Since then I have spent a lot more time working with J2EE-based products and Web services infrastructure software. As an architect, I have also participated in the development of Java standards for Web services, reviewed many software products in these areas and interacted with many customer organizations and listened to their security, performance and other concerns. In the meantime, the Java platform, its security architecture and APIs have continuously evolved and matured. However, none of this has eliminated the gap between what is available and what is in use. I attribute this to many factors. The reality is that some of the technology is new and, at times, quite complex. At the same time, the changing ways of using the Internet for business-critical operations and the increased threat of a security breach have kept practitioners on their toes. This constant churn at both ends has kept the gap alive and kicking. It is the aim of this book to narrow this gap, at least in the area of J2EE-based Web applications. J2SE, J2EE and Application Security The life of a Java professional had never been more fun . Besides the traditional forms of enterprise application and Web application development, the emergence of XML and Web services technologies has resulted in a new Web-based distributed computing paradigm, with its own set of design, development, deployment and operations challenges. This is matched, in almost equal measures, by the growing richness of the Java platform, consisting of both the Standard Edition (J2SE) and the Enterprise Edition (J2EE), making it an apt toolchest for an increasingly complex world. This toolchest has drawers filled with APIs, patterns, tools and conventions for different environments and different needs, waiting to be used at the left place , at the left time , and in the left way . Multiple implementations of the same APIs, sometimes from different vendors but more often freely available from the Open Source Community, allows one to pick the best of breed for a particular purpose. It is this multitude of choice and freedom that makes the life of a Java professional fun. It is often claimed that Java is designed for secure programming from the ground up and security features are not added as an after thought. And indeed, it is quite unique in its ability to declaratively specify what a piece of code can and cannot do. Support for cryptographic operations and public key infrastructure through Java Cryptographic Architecture in J2SE is also quite remarkable. In addition, J2EE defines security characteristics for distributed processing, data access, transactions, management and other such aspects. All this makes Java an excellent platform for constructing secure enterprise applications. Scope of the Book This book is about applying security concepts, techniques, APIs, standards, and tools to identify and address enterprise application security problems within the Java environment. You will find the contents of the book useful for all stages of development lifecycle-;analysis, design, development, deployment, and operations. Personally, I have enjoyed reading books that provide insight into the subject matter with appropriate focus on whys and hows , turning to official standards or product manuals for detailed and highly specific information. I also like to see source code fragments, execution steps and screen shots wherever appropriate, for they tell me exactly what to do to accomplish a desired result. Needless to say, this book has been written with these principles in mind. The main focus of this book is the security of data and information maintained and served by enterprise applications running under J2EE. We accomplish this by identifying what needs to be secured, how and where. Further, we discuss the different mechanisms to accomplish this, covering: Cryptographic concepts and services that are at the heart of many security APIs and features. Public Key Infrastructure that makes cryptography as basis of trust for security applications. Access Control based on the origin of code, signer of the signed code, and/or the credentials of the user running the code. Secure communication of data using Secure Socket Layer, also known as Trasport Layer Security. Integrity, Authentication and Confidentiality of XML messages using XML Signature and Encryption. Security characteristics of RMI-based distributed applications. Securing Servlet and JSP-based Web Applications. Security of EJB-based Enterprise Applications. Security aspects of Web services development, deployment and operation. Enterprise application security in J2EE builds upon the foundation of security concepts and architectures such as Cryptography, Digital Certificates, Public Key Infrastructure, Java security model, Java Cryptographic Architecture and so on. One should be comfortable with these topics to follow the main text. Similarly, one should know about basic Web services interoperability standards such as SOAP and WSDL and the Java programming model for Web services. Not assuming that every reader is current with all these technologies, we cover them briefly, stressing those aspects that are more pertinent for the main subject area. This coverage is more appropriate as a quick refresher than a basic introduction and should be used accordingly. At the same time, we must acknowledge that computer and network security is a vast and expanding field incorporating such diverse topics as cryptography, operating system security, network security, firewalls, computer viruses and anti-virus software, intrusion detection, incident response, vulnerability analysis, biometrics, social engineering, privacy and legal aspects, trusted computing, and so on. Though we recognize the importance of these topics in comprehensive security planning, they are not the focus of this book and hence find only brief overview in the first chapter. We also refrain from getting into details of product specific non-standard security features. The only exceptions are product features that help illustrate a specific point not covered by the standards. Who Should Read this Book This book is primarily written for: Java programmers developing Java applications. System administrators managing J2EE-based applications. Architects evaluating security products from different vendors and architecting secure Java solutions. Project Managers planning, managing and overseeing Java and J2EE projects. Specifically, this book is not targeted at security experts designing security protocols, APIs and products. Intruders looking at devising ways to compromise security will also be disappointed. Organization of the Book This book is organized in three main parts. Part One is more like a refresher on basic security and the Java platform. If you are already familiar with these topics, feel free to move over to Part Two. You could also choose to read certain sections selectively and in any order. Part Two introduces the basic building blocks of the Java platform's security architecture-;APIs for cryptographic operations, Public Key Infrastructure, access control mechanisms, Java Secure Socket Extension for secure communication, and APIs for XML Signature and XML Encryption. A sound understanding of these topics is a must for developing secure enterprise applications. Part Three ties the concepts introduced in Part Two to specific J2EE APIs - RMI, Servlets, EJBs and Web services-;and their security architecture. The emphasis is on getting hands-on exposure to APIs and products, aided by lots of working code. Pa...

Buy It at Lowest Price on Amazon

Rating:
2.5 out of 5 by Book123