Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management / Edition 1

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $35.30
Usually ships in 1-2 business days
(Save 41%)
Other sellers (Paperback)
  • All (5) from $35.30   
  • New (4) from $35.30   
  • Used (1) from $35.30   


Praise for Core Security Patterns

Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.

--Whitfield Diffie, inventor of Public-Key Cryptography

A comprehensive book on Security Patterns, which are critical for secure programming.

--Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security

As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts.

--Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.

This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry.

--Judy Lin, Executive Vice President, VeriSign, Inc.

Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side.

--Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference

As a trusted advisor, this book will serve as a Java developer s security handbook, providing applied patterns and design strategies for securing Java applications.

--Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase

Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.

--John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns

Core Security Patterns is the hands-on practitioner s guide to building robust end-to-end security into J2EE™ enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today s best practices for security in large-scale, industrial-strength applications.

The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME™ applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics.

Core Security Patterns covers all of the following, and more:

  • What works and what doesn t: J2EE application-security best practices, and common pitfalls to avoid
  • Implementing key Java platform security features in real-world applications
  • Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile
  • Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML
  • Designing secure personal identification solutions using Smart Cards and Biometrics
  • Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists
  • End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications
Read More Show Less

Product Details

  • ISBN-13: 9780133119763
  • Publisher: Prentice Hall
  • Publication date: 12/28/2012
  • Series: Sun Core Series
  • Edition number: 1
  • Pages: 1088
  • Product dimensions: 7.00 (w) x 9.10 (h) x 2.10 (d)

Meet the Author

Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.

Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.

Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).

Read More Show Less

Table of Contents

Foreword by Judy Lin.

Foreword by Joe Uniejewski.



About the Authors.


1. Security by Default.

Business Challenges Around Security

What Are the Weakest Links?

The Impact of Application Security

The Four W's

Strategies for Building Robust Security

Proactive and Reactive Security

The Importance of Security Compliance

The Importance of Identity Management

The Importance of Java Technology

Making Security a "Business Enabler"



2. Basics of Security.

Security Requirements and Goals

The Role of Cryptography in Security

The Role of Secure Sockets Layer (SSL)

The Importance and Role of LDAP in Security

Common Challenges in Cryptography

Threat Modeling

Identity Management




3. The Java 2 Platform Security.

Java Security Architecture

Java Applet Security

Java Web Start Security

Java Security Management Tools

J2ME Security Architecture

Java Card Security Architecture

Securing the Java Code



4. Java Extensible Security Architecture and APIs.

Java Extensible Security Architecture

Java Cryptography Architecture (JCA)

Java Cryptographic Extensions (JCE)

Java Certification Path API (CertPath)

Java Secure Socket Extension (JSSE)

Java Authentication and Authorization Service (JAAS)

Java Generic Secure Services API (JGSS)

Simple Authentication and Security Layer (SASL)



5. J2EE Security Architecture.

J2EE Architecture and Its Logical Tiers

J2EE Security Definitions

J2EE Security Infrastructure

J2EE Container-Based Security

J2EE Component/Tier-Level Security

J2EE Client Security

EJB Tier or Business Component Security

EIS Integration Tier-Overview

J2EE Architecture--Network Topology

J2EE Web Services Security-Overview




6. Web Services Security--Standards and Technologies.

Web Services Architecture and Its Building Blocks

Web Services Security--Core Issues

Web Services Security Requirements

Web Services Security Standards

XML Signature

XML Encryption

XML Key Management System (XKMS)

OASIS Web Services Security (WS-Security)

WS-I Basic Security Profile

Java-Based Web Services Security Providers

XML-Aware Security Appliances



7. Identity Management Standards and Technologies.

Identity Management--Core Issues

Understanding Network Identity and Federated Identity

Introduction to SAML

SAML Architecture

SAML Usage Scenarios

The Role of SAML in J2EE-Based Applications and Web Services

Introduction to Liberty Alliance and Their Objectives

Liberty Alliance Architecture

Liberty Usage Scenarios

The Nirvana of Access Control and Policy Management

Introduction to XACML

XACML Data Flow and Architecture

XACML Usage Scenarios




8. The Alchemy of Security Design--Methodology, Patterns, and Reality Checks.

The Rationale

Secure UP

Security Patterns

Security Patterns for J2EE, Web Services, Identity Management, and Service Provisioning

Reality Checks

Security Testing

Adopting a Security Framework

Refactoring Security Design

Service Continuity and Recovery




9. Securing the Web Tier--Design Strategies and Best Practices.

Web-Tier Security Patterns

Best Practices and Pitfalls


10. Securing the Business Tier--Design Strategies and Best Practices.

Security Considerations in the Business Tier

Business Tier Security Patterns

Best Practices and Pitfalls


11. Securing Web Services--Design Strategies and Best Practices.

Web Services Security Protocols Stack

Web Services Security Infrastructure

Web Services Security Patterns

Best Practices and Pitfalls

Best Practices


12. Securing the Identity--Design Strategies and Best Practices.

Identity Management Security Patterns

Best Practices and Pitfalls


13. Secure Service Provisioning--Design Strategies and Best Practices.

Business Challenges

User Account Provisioning Architecture

Introduction to SPML

Service Provisioning Security Pattern

Best Practices and Pitfalls




14. Building End-to-End Security Architecture--A Case Study.


Use Case Scenarios

Application Architecture

Security Architecture






Lessons Learned





15. Secure Personal Identification Strategies Using Smart Cards and Biometrics.

Physical and Logical Access Control

Enabling Technologies

Smart Card-Based Identification and Authentication

Biometric Identification and Authentication

Multi-factor Authentication Using Smart Cards and Biometrics

Best Practices and Pitfalls



Read More Show Less


"The problems that exist in the world todaycannot be solved by the level of thinking that created them."--Albert Einstein

Security now has unprecedented importance in the information industry. It compels every business and organization to adopt proactive or reactive measures that protect data, processes, communication, and resources throughout the information lifecycle. In a continuous evolution, every day a new breed of business systems is finding its place and changes to existing systems are becoming common in the industry. These changes are designed to improve organizational efficiency and cost effectiveness and to increase consumer satisfaction. These improvements are often accompanied by newer security risks, to which businesses must respond with appropriate security strategies and processes. At the outset, securing an organization's information requires a thorough understanding of its security-related business challenges, potential threats, and best practices for mitigation of risks by means of appropriate safeguards and countermeasures. More importantly, it becomes essential that organizations adopt trusted proactive security approaches and enforce them at all levels--information processing, information transmittal, and information storage.

What This Book Is About

This book is meant to be a hands-on practitioner's guide to security. It captures a wealth of experience about using patterns-driven and best practices-based approaches to building trustworthy IT applications and services. The primary focus of the book is on the introduction of a security design methodology using a proven set of reusable patterns, best practices, reality checks, defensive strategies, and assessment checklists that can be applied to securing J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification. The book presents a catalog of 23 new security patterns and 101 best practices, identifying use case scenarios, architectural models, design strategies, applied technologies, and validation processes. The best practices and reality checks provide hints on real-world deployment and end-user experience of what works and what does not. The book also describes the architecture, mechanisms, standards, technologies, and implementation principles of applying security in J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification and explains the required fundamentals from the ground up.

Starting with an overview of today's business challenges, including the identification of security threats and exploits and an analysis of the importance of information security, security compliance, basic security concepts, and technologies, the book focuses in depth on the following topics:

  • Security mechanisms in J2SE, J2EE, J2ME, and Java Card platforms
  • Web Services security standards and technologies
  • Identity Management standards and technologies
  • Security design methodology, patterns, best practices, and reality checks
  • Security patterns and design strategies for J2EE applications
  • Security patterns and design strategies for Web Services
  • Security patterns and design strategies for Identity Management
  • Security patterns and design strategies for Service Provisioning
  • Building an end-to-end security architecture--case study
  • Secure Personal Identification strategies for using Smart Cards and Biometrics

The book emphasizes the use of the Java platform and stresses its importance in developing and deploying secure applications and services.

What This Book Is Not

While this book is heavily based on Java technologies, we do not describe the specific Java APIs intended for basic J2EE application development (e.g., JSPs, Servlets, and EJB). If you wish to learn the individual API technologies, we highly recommend the J2EE blueprints, tutorials, and recommended books on the official Java home page at

We use UML diagrams to document the patterns and implementation strategies. If you wish to learn the UML basics, please refer to The Unified Modeling Language User Guide by Grady Booch, James Rumbaugh, and Ivar Jacobson (Addison-Wesley, 1999).

Who Should Read This Book?

This book is meant for all security enthusiasts, architects, Java developers, and technical project managers who are involved with securing information systems and business applications. The book is also valuable for those who wish to learn basic security concepts and technologies related to Java applications, Web Services, Identity Management, Service Provisioning, and Personal Identification using Smart Cards and Biometrics.

The book presumes that the reader has a basic conceptual knowledge of development and deployment of business applications using Java. We have attempted to write this book as an introduction to all security mechanisms used in the design, architecture, and development of applications using the Java platform. We intended our use of the methodology, patterns, best practices, and pitfalls to be an invaluable resource for answering the real-world IT security problems that software architects and developers face every day.

Most of us no longer have time to read a software development book from cover to cover. Therefore, we have broken this book into different technology parts; the book may thus be read in almost in any sequence according to the reader's specific interests.

How This Book Is Organized

The content of this book is organized into seven parts:

Part I: Introduction

Part I introduces the current state of the industry, business challenges, and various application security issues and strategies. It then presents the basics of security.

Chapter 1: Security by Default

This first chapter describes current business challenges, the weakest links of security, and critical application flaws and exploits. It introduces the security design strategies, concepts of patterns-driven security development, best practices, and reality checks. It also highlights the importance of security compliance, Identity Management, the Java platform, and Personal Identification technologies such as Smart Cards and Biometrics. In addition, this chapter presents security from a business perspective and offers recommendations for making a case for security as a business enabler that delivers specific benefits.

Chapter 2: Basics of Security

This chapter introduces the fundamentals of security, including the background and guiding principles of various security technologies. It also provides a high-level introduction to securing applications by using popular cryptographic techniques. In addition, it discusses basic concepts about the role of directory services and identity management in security.

Part II: Java Security Architecture and Technologies

Part II provides in-depth coverage and demonstration of security practices using J2SE, J2EE, J2ME, and Java Card technologies. It delves into the intricate details of Java platform security architecture and its contribution to the end-to-end security of Java-based application solutions.

Chapter 3: The Java 2 Platform Security

This chapter explores the inherent security features of the various Java platforms and the enabling of Java security in stand-alone Java applications, applets, Java Web start (JNLP) applications, J2ME MIDlets, and Java Card applets. It also explores how to use Java security management tools to manage keys and certificates. This chapter also discusses the importance of applying Java code obfuscation techniques.

Chapter 4: Java Extensible Security Architecture and APIs

This chapter provides an in-depth discussion of the Java extensible security architecture and its API framework as well as how to utilize those API implementations for building end-to-end security in Java-based application solutions. In particular, the chapter illustrates how to use Java security APIs for applying cryptographic mechanisms and public-key infrastructure, how to secure application communica*tion, and how to plug in third-party security providers in Java-based applications.

Chapter 5: J2EE Security Architecture

This chapter explains the J2EE security architecture and mechanisms and then illustrates how to apply them in the different application tiers and components. It features in-depth coverage of the J2EE security mechanisms applied to Web components (JSPs, Servlets, and JSFs), business components (EJBs), and integration components (JMS, JDBC, and J2EE connectors). This chapter also highlights J2EE-based Web services security and relevant technologies. In addition, it illustrates the different architectural options for designing a DMZ network topology that delivers security to J2EE applications in production.

Part III: Web Services Security and Identity Management

Part III concentrates on the industry-standard initiatives and technologies used to enable Web services security and identity management.

Chapter 6: Web Services Security--Standards and Technologies

This chapter explains the Web services architecture, its core building blocks, common Web services security threats and vulnerabilities, Web services security requirements and Web services security standards and technologies. It provides in-depth details about how to represent XML-based security using industry-standard initiatives such as XML Signature, XML Encryption, XKMS, WS-Security, SAML Profile, REL Profile and WS-I Basic Security Profile. In addition, this chapter also introduces the Java-based Web services infrastructure providers and XML-aware security appliances that facilitate support for enabling security in Web services.

Chapter 7: Identity Management--Standards and Technologies

This chapter provides an in-depth look at the standards and technologies essential for managing identity information. It highlights the identity management challenges and then introduces the architectural models for implementing standards-based identity management. It illustrates how to represent XML standards such as SAML, XACML and Liberty Alliance (ID-*) specifications for enabling federated identity management and identity-enabled services.

Part IV: Security Design Methodology, Patterns, and Reality Checks

Part IV describes a security design methodology and introduces a patterns-driven security design approach that can be adopted as part of a software design and development process.

Chapter 8: The Alchemy of Security Design-Security Methodology, Patterns, and Reality Checks

This chapter begins with a high-level discussion about the importance of using a security design methodology and then details a security design process for identifying and applying security practices throughout the software life cycle including architecture, design, development, deployment, production, and retirement. The chapter describes various roles and responsibilities and explains core security analysis processes required for the analysis of risks, trade-offs, effects, factors, tier options, threat profiling, and trust modeling. This chapter also introduces the security design patterns catalog and security assessment checklists that can be applied during application development to address security requirements or provide solutions.

Part V: Design Strategies and Best Practices

Part V presents the security patterns, strategies, and best practices categorized specific to J2EE application tiers, Web services, Identity Management, and Service Provisioning.

Chapter 9: Securing the Web Tier--Design Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Web-tier and presentation components such as JSPs, servlets, and other related components. Each pattern addresses a common problem associated with the Web-tier or presentation logic and describes a design solution illustrating numerous implementation strategies. It describes the results of using the pattern, highlights security factors and their associated risks when using the pattern, and demonstrates verification of pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices for securing J2EE Web components and Web-based applications.

Chapter 10: Securing the Business Tier--Design Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Business-tier components such as EJBs, JMS, and other related components. Each pattern addresses a set of security problems associated with the Business tier and describes a design solution illustrating numerous implementation strategies along with the results of using the pattern. It highlights security factors and associated risks of using the Business-tier security pattern and finally verifies pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices and pitfalls in securing J2EE business components.

Chapter 11: Securing Web Services--Design Strategies and Best Practices

This chapter presents three security patterns that pertain to designing and deploying Web services. The chapter begins with a discussion of the Web services security infrastructure and key components that contribute to security. Then it describes each pattern, addresses the security problems associated with Web services, and describes a design solution illustrating numerous implementation strategies and consequences of using the Web services pattern. It also highlights security factors and associated risks using the pattern and verifies pattern applicability using reality checks. Finally, the chapter provides a comprehensive list of best practices and pitfalls in securing Web services.

Chapter 12: Securing the Identity-Design Strategies and Best Practices

This chapter presents three security patterns that pertain to Identity Management. Each pattern addresses an Identity Management-specific issue, describes a design solution illustrating implementation strategies, presents the results of using the pattern, and then highlights security factors and associated risks using the pattern. Finally, the chapter verifies pattern applicability using reality checks. It also provides a comprehensive list of best practices in Identity Management.

Chapter 13: Secure Service Provisioning--Design Strategies and Best Practices

This chapter begins with a high-level discussion of business challenges, the scope of Service Provisioning, and the relationship of Service Provisioning to Identity Management. Then it details the process for user account provisioning and discusses various architecture and application scenarios. It presents a security pattern that applies to user account provisioning and illustrates implementation strategies and the results of using the pattern. Then it highlights security factors and associated risks involved with using the pattern and verify pattern applicability using reality checks. This chapter also introduces SPML and its relevance in Service Provisioning. Finally, the chapter provides a comprehensive list of best practices for Service Provisioning.

Part VI: Putting It All Together

Part VI presents a case study that illustrates a real-world security implementation scenario and describes how to put the security design process to work using the patterns and best practices.

Chapter 14: Building an End-to-End Security Architecture--Case Study

This chapter uses a real-world example of a Web portal that shows how to define and implement an end-to-end security solution using the security design methodology, design patterns, and best practices introduced in this book. The chapter walks through the security design process, illustrating how to analyze and identify risks, how to balance trade-offs, how to identify and apply security patterns, and how to perform factor analysis, tier analysis, threat profiling, and reality checks.

The chapter also provides details about how to adopt a patterns-driven security design process, the pertinent do's and don'ts, and describes how to align security in different logical tiers together to deliver end-to-end security.

Part VII: Personal Identification Using Smart Cards and Biometrics

Part VII provides in-depth coverage on Personal Identification using Smart Cards and Biometrics. It delves into the enabling technologies, architecture, implementation strategies of using Smart Cards, Biometrics and combination of both.

Chapter 15: Secure Personal Identification Using Smart Cards and Biometrics

This chapter explores the concepts, technologies, architectural strategies, and best practices for implementing secure Personal Identification and authentication using Smart Cards and Biometrics. The chapter begins with a discussion of the importance of converging physical and logical access control and the role of using Smart Cards and Biometrics in Personal Identification. This chapter illustrates the architecture and implementation strategies for enabling Smart Cards and Biometrics-based authentication in J2EE-based enterprise applications, UNIX, and Windows environments as well as how to combine these in multifactor authentication. Finally, the chapter provides a comprehensive list of best practices for using Smart Cards and Biometrics in secure Personal Identification.

Companion Web Site

The official companion Web site for this book is All example illustrations found within this book can be downloaded from that site. The site will also include errata, changes, updates, and additional reading recommendations and references.

The Prentice Hall Web site for this book is 0131463071.


The authors would like to receive reader feedback, so we encourage you to post questions using the discussion forum linked to the Web site. You can also contact the authors at their prospective email addresses. Contact information can be found at The Web site also includes a reader's forum for public subscription and participation. Readers may also post their questions, share their views, and discuss related topics.

Welcome to Core Security Patterns. We hope you enjoy reading this book as much as we enjoyed writing it. We trust that you will be able to adopt the theory, concepts, techniques, and approaches that we have discussed as you design, deploy, and upgrade the security of your IT systems--and keep those systems immune from all security risks and vulnerabilities in the future.

--Chris, Ramesh, and Ray


Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)