Organization of the Book
This book is organized in three main parts. Part One is more like a refresher on basic security and the Java platform. If you are already familiar with these topics, feel free to move over to Part Two. You could also choose to read certain sections selectively and in any order.
Part Two introduces the basic building blocks of the Java platform's security architecture—APIs for cryptographic operations, Public Key Infrastructure, access control mechanisms, Java Secure Socket Extension for secure communication, and APIs for XML Signature and XML Encryption. A sound understanding of these topics is a must for developing secure enterprise applications.
Part Three ties the concepts introduced in Part Two to specific J2EE APIs – RMI, Servlets, EJBs and Web services—and their security architecture. The emphasis is on getting hands-on exposure to APIs and products, aided by lots of working code.
Parts Two and Three are the main reason this book exists. Here we cover the underlying technology, identify the security issues in typical J2EE applications and go on to address them, explaining the abstractions, standards, protocols and APIs. An important aspect of this part is that real, best-of-breed products are used to illustrate the concepts.
Below is an outline of the book's parts and chapters.
Part One: The Background
Part One builds the necessary background on computer security and the Java platform, preparing the reader for the more specific discussion in the later chapters.
Chapter 1. A Security Primer:
This chapter looks at news reports, survey findings and case studies to a get a feel for computer and network security problems. This is followed by a review of the technologies behind the Internet and the corporate IT infrastructure and a discussion of how attackers exploit vulnerabilities to mount attacks. The chapter is concluded with brief descriptions of enabling technologies in the fight against computer crime and how application security, the main topic of the book, fits into the overall scheme of things. Chapter 2. A Quick Tour of the Java Platform:
This chapter is a backgrounder on the Java platform, consisting of J2SE and J2EE, with a focus on security aspects. As with the previous chapter, the emphasis is on understanding the broader context of various Java technologies and their relationship to security-specific portions.
Part Two: The Technology
Part Two of the book focuses on the basic security technology available within the Java platform. Most of these technologies and APIs are packaged with J2SE and form the basis for the security capabilities of various enterprise application development APIs such as RMI, Servlets, EJBs and Web services.
Chapter 3. Cryptography with Java:
This chapter explains cryptographic services and the Java API supporting these services. Basic cryptographic APIs JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension) are covered. In this chapter, you learn about the secret key and public key cryptography, message digests, Message Authentication Code, and digital signature. The performance of certain cryptographic operations is also analyzed. Chapter 4. PKI with Java:
This chapter discusses Java support for PKI (Public Key Infrastructure) components such as X.509 certificates, CAs (Certification Authorities), CRLs (Certificate Revocation Lists), and repositories in the Java platform. Steps in obtaining CA signed certificates and managing certificates in a keystore are explained. It also covers the keytool utility for managing private keys and certificates. Java APIs to handle digital certificates and certification paths are also covered. Chapter 5. Access Control:
This chapter explains the security model to protect resources within a JVM with a Security Manager. Code centric and user centric access control through policy files and JAAS (Java Authentication and Authorization Service) is covered. A sample application with moderate complexity is introduced and JAAS is used to secure this application. Chapter 6. Securing the Wire:
This chapter explains SSL (Secure Socket Layer), also known as TLS (Transport Layer Security), protocol for securing exchange of information over unprotected networks at the transport level. Java API JSSE (Java Secure Socket Extension) to develop SSL enabled client and server programs are explained and illustrated through example programs. Chapter 7. Securing the Message:
This chapter talks about message security as a means to secure messages independent of transport. XML security standards XML Signature and XML Encryption are explained. Two libraries with programmatic support for these standards are covered: Verisign's TSIK (Trust Services Integration Kit) and Infomosaic's SecureXML.
Part Three: The Application
Part Three is about applying security APIs, concepts and tools to enterprise applications.
Chapter 8. RMI Security:
Discusses the security issues in developing RMI based distributed applications. Covers the use of security manager to limit privileges of downloaded code, SSL for transport level security and JAAS for user authentication and access control. These techniques are further illustrated with help of examples. Chapter 9. Web Application Security:
This chapter talks about the different forms of declarative and programmatic security for Servlets and JSPs. Apache Tomcat is used to illustrate example programs. Detailed steps to setup Tomcat for accepting HTTPS connections with or without client authentication are presented. Common Web application vulnerabilities such as cross-site scripting, command injection, failure to validate input and so on. and mechanisms to safeguard against these are also covered. Chapter 10. EJB Security:
This chapter discusses how EJB architecture facilitates development of software components for assembling secure enterprise applications. BEA's WebLogic Server is used to explore security concepts such as JNDI-based client authentication, SSL for transport-based security, security protection domain spanning multiple J2EE servers, declarative access control through deployment descriptors, programmatic access control APIs, identity propagation, identity delegation and other related concepts. Chapter 11. Web Services Security:
This chapter talks about security issues in developing, deploying and invoking Web services with JAX-RPC APIs. Open source SOAP (Simple Object Access Protocol) engine Apache Axis is used to illustrate the APIs and the examples. It explains use of a number of technologies for Web services security: Servlet deployment descriptor and API for authentication and access control, SSL for transport-based security and WS Security for message-based security. JAX-RPC-compliant SOAP handlers are developed using VeriSign's TSIK and WSSecurity class library to illustrate secure Web service examples. Chapter 12. Conclusions:
This final chapter takes a step back and reviews the subject matter of the book from a distance, identifying patterns, general principles and the interconnectedness of the topics. Security issues in various Java-based enterprise application development infrastructure, such as sockets, RMI, Servlets, EJBs and Web services, are summarized and their dependence on lower level cryptographic services, PKI entities, security protocols, authentication services and so on is analyzed.
Appendices
A number of appendices supplement the subject matter of the book.
Appendix A. Public Key Cryptography Standards:
A brief overview of relevant PKCS standards. Appendix B. Standard Names—Java Cryptography Services:
Standard names used for cryptographic service algorithms and types in Java Security APIs. Appendix C. JSTK Tools:
A brief user guide to the JSTK (Java Security Tool Kit) tools, the software bundled with the book. Appendix D. Example Programs:
A list of all the examples presented in the book with brief descriptions. Appendix E. Products Used:
A list of all the software products used for developing the example programs. Appendix F. Standards Bodies:
A brief description of standardization bodies related to security, Java and XML technologies.
| 
