Scope of the Book
This book is about applying security concepts, techniques, APIs, standards, and tools to identify and address enterprise application security problems within the Java environment. You will find the contents of the book useful for all stages of development lifecycle梐nalysis, design, development, deployment, and operations.
Personally, I have enjoyed reading books that provide insight into the subject matter with appropriate focus on whys and hows, turning to official standards or product manuals for detailed and highly specific information. I also like to see source code fragments, execution steps and screen shots wherever appropriate, for they tell me exactly what to do to accomplish a desired result. Needless to say, this book has been written with these principles in mind.
The main focus of this book is the security of data and information maintained and served by enterprise applications running under J2EE. We accomplish this by identifying what needs to be secured, how and where. Further, we discuss the different mechanisms to accomplish this, covering:
Cryptographic concepts and services that are at the heart of many security APIs and features. Public Key Infrastructure that makes cryptography as basis of trust for security applications. Access Control based on the origin of code, signer of the signed code, and/or the credentials of the user running the code. Secure communication of data using Secure Socket Layer, also known as Trasport Layer Security. Integrity, Authentication and Confidentiality of XML messages using XML Signature and Encryption. Security characteristics of RMI-based distributed applications. Securing Servlet and JSP-based Web Applications. Security of EJB-based Enterprise Applications. Security aspects of Web services development, deployment and operation.
Enterprise application security in J2EE builds upon the foundation of security concepts and architectures such as Cryptography, Digital Certificates, Public Key Infrastructure, Java security model, Java Cryptographic Architecture and so on. One should be comfortable with these topics to follow the main text. Similarly, one should know about basic Web services interoperability standards such as SOAP and WSDL and the Java programming model for Web services.
Not assuming that every reader is current with all these technologies, we cover them briefly, stressing those aspects that are more pertinent for the main subject area. This coverage is more appropriate as a quick refresher than a basic introduction and should be used accordingly.
At the same time, we must acknowledge that computer and network security is a vast and expanding field incorporating such diverse topics as cryptography, operating system security, network security, firewalls, computer viruses and anti-virus software, intrusion detection, incident response, vulnerability analysis, biometrics, social engineering, privacy and legal aspects, trusted computing, and so on. Though we recognize the importance of these topics in comprehensive security planning, they are not the focus of this book and hence find only brief overview in the first chapter.
We also refrain from getting into details of product specific non-standard security features. The only exceptions are product features that help illustrate a specific point not covered by the standards.
|
