Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management / Edition 1

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $38.52
Usually ships in 1-2 business days
(Save 35%)
Other sellers (Paperback)
  • All (5) from $38.52   
  • New (3) from $38.52   
  • Used (2) from $100.98   

Overview

Core Security Patterns is the hands-on practitioner's guide to building robust end-to-end security into J2EE enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today's best practices for security in large-scale, industrial-strength applications.
Read More Show Less

Product Details

  • ISBN-13: 9780133119763
  • Publisher: Prentice Hall
  • Publication date: 12/28/2012
  • Series: Sun Core Series
  • Edition number: 1
  • Pages: 1088
  • Product dimensions: 7.00 (w) x 9.10 (h) x 2.10 (d)

Meet the Author

Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's Pay.gov project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.

Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.

Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).

Read More Show Less

Table of Contents

Foreword
Foreword
Ch. 1 Security by default 2
Ch. 2 Basics of security 48
Ch. 3 The Java 2 platform security 94
Ch. 4 Java extensible security architecture and APIs 148
Ch. 5 J2EE security architecture 224
Ch. 6 Web services security - standards and technologies 282
Ch. 7 Identity management standards and technologies 356
Ch. 8 The alchemy of security design - methodology, patterns, and reality checks 438
Ch. 9 Securing the Web tier - design strategies and best practices 534
Ch. 10 Securing the business tier - design strategies and best practices 622
Ch. 11 Securing Web services - design strategies and best practices 698
Ch. 12 Securing the identity - design strategies and best practices 754
Ch. 13 Secure service provisioning - design strategies and best practices 816
Ch. 14 Building end-to-end security architecture - a case study 900
Ch. 15 Secure personal identification strategies using smart cards and biometrics 960
Read More Show Less

Preface

"The problems that exist in the world todaycannot be solved by the level of thinking that created them."--Albert Einstein

Security now has unprecedented importance in the information industry. It compels every business and organization to adopt proactive or reactive measures that protect data, processes, communication, and resources throughout the information lifecycle. In a continuous evolution, every day a new breed of business systems is finding its place and changes to existing systems are becoming common in the industry. These changes are designed to improve organizational efficiency and cost effectiveness and to increase consumer satisfaction. These improvements are often accompanied by newer security risks, to which businesses must respond with appropriate security strategies and processes. At the outset, securing an organization's information requires a thorough understanding of its security-related business challenges, potential threats, and best practices for mitigation of risks by means of appropriate safeguards and countermeasures. More importantly, it becomes essential that organizations adopt trusted proactive security approaches and enforce them at all levels--information processing, information transmittal, and information storage.

What This Book Is About

This book is meant to be a hands-on practitioner's guide to security. It captures a wealth of experience about using patterns-driven and best practices-based approaches to building trustworthy IT applications and services. The primary focus of the book is on the introduction of a security design methodology using a proven set of reusable patterns, best practices, reality checks, defensive strategies, and assessment checklists that can be applied to securing J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification. The book presents a catalog of 23 new security patterns and 101 best practices, identifying use case scenarios, architectural models, design strategies, applied technologies, and validation processes. The best practices and reality checks provide hints on real-world deployment and end-user experience of what works and what does not. The book also describes the architecture, mechanisms, standards, technologies, and implementation principles of applying security in J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification and explains the required fundamentals from the ground up.

Starting with an overview of today's business challenges, including the identification of security threats and exploits and an analysis of the importance of information security, security compliance, basic security concepts, and technologies, the book focuses in depth on the following topics:

  • Security mechanisms in J2SE, J2EE, J2ME, and Java Card platforms
  • Web Services security standards and technologies
  • Identity Management standards and technologies
  • Security design methodology, patterns, best practices, and reality checks
  • Security patterns and design strategies for J2EE applications
  • Security patterns and design strategies for Web Services
  • Security patterns and design strategies for Identity Management
  • Security patterns and design strategies for Service Provisioning
  • Building an end-to-end security architecture--case study
  • Secure Personal Identification strategies for using Smart Cards and Biometrics

The book emphasizes the use of the Java platform and stresses its importance in developing and deploying secure applications and services.

What This Book Is Not

While this book is heavily based on Java technologies, we do not describe the specific Java APIs intended for basic J2EE application development (e.g., JSPs, Servlets, and EJB). If you wish to learn the individual API technologies, we highly recommend the J2EE blueprints, tutorials, and recommended books on the official Java home page at http://java.sun.com.

We use UML diagrams to document the patterns and implementation strategies. If you wish to learn the UML basics, please refer to The Unified Modeling Language User Guide by Grady Booch, James Rumbaugh, and Ivar Jacobson (Addison-Wesley, 1999).

Who Should Read This Book?

This book is meant for all security enthusiasts, architects, Java developers, and technical project managers who are involved with securing information systems and business applications. The book is also valuable for those who wish to learn basic security concepts and technologies related to Java applications, Web Services, Identity Management, Service Provisioning, and Personal Identification using Smart Cards and Biometrics.

The book presumes that the reader has a basic conceptual knowledge of development and deployment of business applications using Java. We have attempted to write this book as an introduction to all security mechanisms used in the design, architecture, and development of applications using the Java platform. We intended our use of the methodology, patterns, best practices, and pitfalls to be an invaluable resource for answering the real-world IT security problems that software architects and developers face every day.

Most of us no longer have time to read a software development book from cover to cover. Therefore, we have broken this book into different technology parts; the book may thus be read in almost in any sequence according to the reader's specific interests.

How This Book Is Organized

The content of this book is organized into seven parts:

Part I: Introduction

Part I introduces the current state of the industry, business challenges, and various application security issues and strategies. It then presents the basics of security.

Chapter 1: Security by Default

This first chapter describes current business challenges, the weakest links of security, and critical application flaws and exploits. It introduces the security design strategies, concepts of patterns-driven security development, best practices, and reality checks. It also highlights the importance of security compliance, Identity Management, the Java platform, and Personal Identification technologies such as Smart Cards and Biometrics. In addition, this chapter presents security from a business perspective and offers recommendations for making a case for security as a business enabler that delivers specific benefits.

Chapter 2: Basics of Security

This chapter introduces the fundamentals of security, including the background and guiding principles of various security technologies. It also provides a high-level introduction to securing applications by using popular cryptographic techniques. In addition, it discusses basic concepts about the role of directory services and identity management in security.

Part II: Java Security Architecture and Technologies

Part II provides in-depth coverage and demonstration of security practices using J2SE, J2EE, J2ME, and Java Card technologies. It delves into the intricate details of Java platform security architecture and its contribution to the end-to-end security of Java-based application solutions.

Chapter 3: The Java 2 Platform Security

This chapter explores the inherent security features of the various Java platforms and the enabling of Java security in stand-alone Java applications, applets, Java Web start (JNLP) applications, J2ME MIDlets, and Java Card applets. It also explores how to use Java security management tools to manage keys and certificates. This chapter also discusses the importance of applying Java code obfuscation techniques.

Chapter 4: Java Extensible Security Architecture and APIs

This chapter provides an in-depth discussion of the Java extensible security architecture and its API framework as well as how to utilize those API implementations for building end-to-end security in Java-based application solutions. In particular, the chapter illustrates how to use Java security APIs for applying cryptographic mechanisms and public-key infrastructure, how to secure application communica*tion, and how to plug in third-party security providers in Java-based applications.

Chapter 5: J2EE Security Architecture

This chapter explains the J2EE security architecture and mechanisms and then illustrates how to apply them in the different application tiers and components. It features in-depth coverage of the J2EE security mechanisms applied to Web components (JSPs, Servlets, and JSFs), business components (EJBs), and integration components (JMS, JDBC, and J2EE connectors). This chapter also highlights J2EE-based Web services security and relevant technologies. In addition, it illustrates the different architectural options for designing a DMZ network topology that delivers security to J2EE applications in production.

Part III: Web Services Security and Identity Management

Part III concentrates on the industry-standard initiatives and technologies used to enable Web services security and identity management.

Chapter 6: Web Services Security--Standards and Technologies

This chapter explains the Web services architecture, its core building blocks, common Web services security threats and vulnerabilities, Web services security requirements and Web services security standards and technologies. It provides in-depth details about how to represent XML-based security using industry-standard initiatives such as XML Signature, XML Encryption, XKMS, WS-Security, SAML Profile, REL Profile and WS-I Basic Security Profile. In addition, this chapter also introduces the Java-based Web services infrastructure providers and XML-aware security appliances that facilitate support for enabling security in Web services.

Chapter 7: Identity Management--Standards and Technologies

This chapter provides an in-depth look at the standards and technologies essential for managing identity information. It highlights the identity management challenges and then introduces the architectural models for implementing standards-based identity management. It illustrates how to represent XML standards such as SAML, XACML and Liberty Alliance (ID-*) specifications for enabling federated identity management and identity-enabled services.

Part IV: Security Design Methodology, Patterns, and Reality Checks

Part IV describes a security design methodology and introduces a patterns-driven security design approach that can be adopted as part of a software design and development process.

Chapter 8: The Alchemy of Security Design-Security Methodology, Patterns, and Reality Checks

This chapter begins with a high-level discussion about the importance of using a security design methodology and then details a security design process for identifying and applying security practices throughout the software life cycle including architecture, design, development, deployment, production, and retirement. The chapter describes various roles and responsibilities and explains core security analysis processes required for the analysis of risks, trade-offs, effects, factors, tier options, threat profiling, and trust modeling. This chapter also introduces the security design patterns catalog and security assessment checklists that can be applied during application development to address security requirements or provide solutions.

Part V: Design Strategies and Best Practices

Part V presents the security patterns, strategies, and best practices categorized specific to J2EE application tiers, Web services, Identity Management, and Service Provisioning.

Chapter 9: Securing the Web Tier--Design Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Web-tier and presentation components such as JSPs, servlets, and other related components. Each pattern addresses a common problem associated with the Web-tier or presentation logic and describes a design solution illustrating numerous implementation strategies. It describes the results of using the pattern, highlights security factors and their associated risks when using the pattern, and demonstrates verification of pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices for securing J2EE Web components and Web-based applications.

Chapter 10: Securing the Business Tier--Design Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Business-tier components such as EJBs, JMS, and other related components. Each pattern addresses a set of security problems associated with the Business tier and describes a design solution illustrating numerous implementation strategies along with the results of using the pattern. It highlights security factors and associated risks of using the Business-tier security pattern and finally verifies pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices and pitfalls in securing J2EE business components.

Chapter 11: Securing Web Services--Design Strategies and Best Practices

This chapter presents three security patterns that pertain to designing and deploying Web services. The chapter begins with a discussion of the Web services security infrastructure and key components that contribute to security. Then it describes each pattern, addresses the security problems associated with Web services, and describes a design solution illustrating numerous implementation strategies and consequences of using the Web services pattern. It also highlights security factors and associated risks using the pattern and verifies pattern applicability using reality checks. Finally, the chapter provides a comprehensive list of best practices and pitfalls in securing Web services.

Chapter 12: Securing the Identity-Design Strategies and Best Practices

This chapter presents three security patterns that pertain to Identity Management. Each pattern addresses an Identity Management-specific issue, describes a design solution illustrating implementation strategies, presents the results of using the pattern, and then highlights security factors and associated risks using the pattern. Finally, the chapter verifies pattern applicability using reality checks. It also provides a comprehensive list of best practices in Identity Management.

Chapter 13: Secure Service Provisioning--Design Strategies and Best Practices

This chapter begins with a high-level discussion of business challenges, the scope of Service Provisioning, and the relationship of Service Provisioning to Identity Management. Then it details the process for user account provisioning and discusses various architecture and application scenarios. It presents a security pattern that applies to user account provisioning and illustrates implementation strategies and the results of using the pattern. Then it highlights security factors and associated risks involved with using the pattern and verify pattern applicability using reality checks. This chapter also introduces SPML and its relevance in Service Provisioning. Finally, the chapter provides a comprehensive list of best practices for Service Provisioning.

Part VI: Putting It All Together

Part VI presents a case study that illustrates a real-world security implementation scenario and describes how to put the security design process to work using the patterns and best practices.

Chapter 14: Building an End-to-End Security Architecture--Case Study

This chapter uses a real-world example of a Web portal that shows how to define and implement an end-to-end security solution using the security design methodology, design patterns, and best practices introduced in this book. The chapter walks through the security design process, illustrating how to analyze and identify risks, how to balance trade-offs, how to identify and apply security patterns, and how to perform factor analysis, tier analysis, threat profiling, and reality checks.

The chapter also provides details about how to adopt a patterns-driven security design process, the pertinent do's and don'ts, and describes how to align security in different logical tiers together to deliver end-to-end security.

Part VII: Personal Identification Using Smart Cards and Biometrics

Part VII provides in-depth coverage on Personal Identification using Smart Cards and Biometrics. It delves into the enabling technologies, architecture, implementation strategies of using Smart Cards, Biometrics and combination of both.

Chapter 15: Secure Personal Identification Using Smart Cards and Biometrics

This chapter explores the concepts, technologies, architectural strategies, and best practices for implementing secure Personal Identification and authentication using Smart Cards and Biometrics. The chapter begins with a discussion of the importance of converging physical and logical access control and the role of using Smart Cards and Biometrics in Personal Identification. This chapter illustrates the architecture and implementation strategies for enabling Smart Cards and Biometrics-based authentication in J2EE-based enterprise applications, UNIX, and Windows environments as well as how to combine these in multifactor authentication. Finally, the chapter provides a comprehensive list of best practices for using Smart Cards and Biometrics in secure Personal Identification.

Companion Web Site

The official companion Web site for this book is www.coresecuritypatterns.com. All example illustrations found within this book can be downloaded from that site. The site will also include errata, changes, updates, and additional reading recommendations and references.

The Prentice Hall Web site for this book is http://www.phptr.com/title/ 0131463071.

Feedback

The authors would like to receive reader feedback, so we encourage you to post questions using the discussion forum linked to the Web site. You can also contact the authors at their prospective email addresses. Contact information can be found at www.coresecuritypatterns.com. The Web site also includes a reader's forum for public subscription and participation. Readers may also post their questions, share their views, and discuss related topics.

Welcome to Core Security Patterns. We hope you enjoy reading this book as much as we enjoyed writing it. We trust that you will be able to adopt the theory, concepts, techniques, and approaches that we have discussed as you design, deploy, and upgrade the security of your IT systems--and keep those systems immune from all security risks and vulnerabilities in the future.

--Chris, Ramesh, and Ray

www.coresecuritypatterns.com

0131463071P09272005

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)