ISBN-10:
0133119769
ISBN-13:
2900133119762
Pub. Date:
10/28/2005
Publisher:
Prentice Hall
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management / Edition 1

Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management / Edition 1

by Christopher Steel
Current price is , Original price is $59.99. You
  • $32.60 $59.99 Save 46% Current price is $32.6, Original price is $59.99. You Save 46%.
    Note: Access code and/or supplemental material are not guaranteed to be included with textbook rental or used textbook.

    Temporarily Out of Stock Online

    Please check back later for updated availability.

  • This Item is Not Available

  • Product Details

    ISBN-13: 2900133119762
    Publisher: Prentice Hall
    Publication date: 10/28/2005
    Series: Sun Core Series
    Pages: 1088
    Product dimensions: 6.00(w) x 1.25(h) x 9.00(d)

    About the Author

    Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's Pay.gov project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.

    Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.

    Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).



    Table of Contents

    Foreword by Judy Lin.

    Foreword by Joe Uniejewski.

    Preface.

    Acknowledgments.

    About the Authors.

    I. INTRODUCTION.

    1. Security by Default.

    Business Challenges Around Security

    What Are the Weakest Links?

    The Impact of Application Security

    The Four W's

    Strategies for Building Robust Security

    Proactive and Reactive Security

    The Importance of Security Compliance

    The Importance of Identity Management

    The Importance of Java Technology

    Making Security a "Business Enabler"

    Summary

    References

    2. Basics of Security.

    Security Requirements and Goals

    The Role of Cryptography in Security

    The Role of Secure Sockets Layer (SSL)

    The Importance and Role of LDAP in Security

    Common Challenges in Cryptography

    Threat Modeling

    Identity Management

    Summary

    References

    II. JAVA SECURITY ARCHITECTURE AND TECHNOLOGIES.

    3. The Java 2 Platform Security.

    Java Security Architecture

    Java Applet Security

    Java Web Start Security

    Java Security Management Tools

    J2ME Security Architecture

    Java Card Security Architecture

    Securing the Java Code

    Summary

    References

    4. Java Extensible Security Architecture and APIs.

    Java Extensible Security Architecture

    Java Cryptography Architecture (JCA)

    Java Cryptographic Extensions (JCE)

    Java Certification Path API (CertPath)

    Java Secure Socket Extension (JSSE)

    Java Authentication and Authorization Service (JAAS)

    Java Generic Secure Services API (JGSS)

    Simple Authentication and Security Layer (SASL)

    Summary

    References

    5. J2EE Security Architecture.

    J2EE Architecture and Its Logical Tiers

    J2EE Security Definitions

    J2EE Security Infrastructure

    J2EE Container-Based Security

    J2EE Component/Tier-Level Security

    J2EE Client Security

    EJB Tier or Business Component Security

    EIS Integration Tier-Overview

    J2EE Architecture--Network Topology

    J2EE Web Services Security-Overview

    Summary

    References

    III. WEB SERVICES SECURITY AND IDENTITY MANAGEMENT.

    6. Web Services Security--Standards and Technologies.

    Web Services Architecture and Its Building Blocks

    Web Services Security--Core Issues

    Web Services Security Requirements

    Web Services Security Standards

    XML Signature

    XML Encryption

    XML Key Management System (XKMS)

    OASIS Web Services Security (WS-Security)

    WS-I Basic Security Profile

    Java-Based Web Services Security Providers

    XML-Aware Security Appliances

    Summary

    References

    7. Identity Management Standards and Technologies.

    Identity Management--Core Issues

    Understanding Network Identity and Federated Identity

    Introduction to SAML

    SAML Architecture

    SAML Usage Scenarios

    The Role of SAML in J2EE-Based Applications and Web Services

    Introduction to Liberty Alliance and Their Objectives

    Liberty Alliance Architecture

    Liberty Usage Scenarios

    The Nirvana of Access Control and Policy Management

    Introduction to XACML

    XACML Data Flow and Architecture

    XACML Usage Scenarios

    Summary

    References

    IV. SECURITY DESIGN METHODOLOGY, PATTERNS, AND REALITY CHECKS.

    8. The Alchemy of Security Design--Methodology, Patterns, and Reality Checks.

    The Rationale

    Secure UP

    Security Patterns

    Security Patterns for J2EE, Web Services, Identity Management, and Service Provisioning

    Reality Checks

    Security Testing

    Adopting a Security Framework

    Refactoring Security Design

    Service Continuity and Recovery

    Conclusion

    References

    V. DESIGN STRATEGIES AND BEST PRACTICES.

    9. Securing the Web Tier--Design Strategies and Best Practices.

    Web-Tier Security Patterns

    Best Practices and Pitfalls

    References

    10. Securing the Business Tier--Design Strategies and Best Practices.

    Security Considerations in the Business Tier

    Business Tier Security Patterns

    Best Practices and Pitfalls

    References

    11. Securing Web Services--Design Strategies and Best Practices.

    Web Services Security Protocols Stack

    Web Services Security Infrastructure

    Web Services Security Patterns

    Best Practices and Pitfalls

    Best Practices

    References

    12. Securing the Identity--Design Strategies and Best Practices.

    Identity Management Security Patterns

    Best Practices and Pitfalls

    References

    13. Secure Service Provisioning--Design Strategies and Best Practices.

    Business Challenges

    User Account Provisioning Architecture

    Introduction to SPML

    Service Provisioning Security Pattern

    Best Practices and Pitfalls

    Summary

    References

    VI. PUTTING IT ALL TOGETHER.

    14. Building End-to-End Security Architecture--A Case Study.

    Overview

    Use Case Scenarios

    Application Architecture

    Security Architecture

    Design

    Development

    Testing

    Deployment

    Summary

    Lessons Learned

    Pitfalls

    Conclusion

    References

    VII. PERSONAL IDENTIFICATION USING SMART CARDS AND BIOMETRICS.

    15. Secure Personal Identification Strategies Using Smart Cards and Biometrics.

    Physical and Logical Access Control

    Enabling Technologies

    Smart Card-Based Identification and Authentication

    Biometric Identification and Authentication

    Multi-factor Authentication Using Smart Cards and Biometrics

    Best Practices and Pitfalls

    References

    Index.

    Preface

    "The problems that exist in the world todaycannot be solved by the level of thinking that created them."--Albert Einstein

    Security now has unprecedented importance in the information industry. It compels every business and organization to adopt proactive or reactive measures that protect data, processes, communication, and resources throughout the information lifecycle. In a continuous evolution, every day a new breed of business systems is finding its place and changes to existing systems are becoming common in the industry. These changes are designed to improve organizational efficiency and cost effectiveness and to increase consumer satisfaction. These improvements are often accompanied by newer security risks, to which businesses must respond with appropriate security strategies and processes. At the outset, securing an organization's information requires a thorough understanding of its security-related business challenges, potential threats, and best practices for mitigation of risks by means of appropriate safeguards and countermeasures. More importantly, it becomes essential that organizations adopt trusted proactive security approaches and enforce them at all levels--information processing, information transmittal, and information storage.

    What This Book Is About

    This book is meant to be a hands-on practitioner's guide to security. It captures a wealth of experience about using patterns-driven and best practices-based approaches to building trustworthy IT applications and services. The primary focus of the book is on the introduction of a security design methodology using a proven set of reusable patterns, best practices, reality checks, defensive strategies, and assessment checklists that can be applied to securing J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification. The book presents a catalog of 23 new security patterns and 101 best practices, identifying use case scenarios, architectural models, design strategies, applied technologies, and validation processes. The best practices and reality checks provide hints on real-world deployment and end-user experience of what works and what does not. The book also describes the architecture, mechanisms, standards, technologies, and implementation principles of applying security in J2EE applications, Web Services, Identity Management, Service Provisioning, and Personal Identification and explains the required fundamentals from the ground up.

    Starting with an overview of today's business challenges, including the identification of security threats and exploits and an analysis of the importance of information security, security compliance, basic security concepts, and technologies, the book focuses in depth on the following topics:

    • Security mechanisms in J2SE, J2EE, J2ME, and Java Card platforms
    • Web Services security standards and technologies
    • Identity Management standards and technologies
    • Security design methodology, patterns, best practices, and reality checks
    • Security patterns and design strategies for J2EE applications
    • Security patterns and design strategies for Web Services
    • Security patterns and design strategies for Identity Management
    • Security patterns and design strategies for Service Provisioning
    • Building an end-to-end security architecture--case study
    • Secure Personal Identification strategies for using Smart Cards and Biometrics

    The book emphasizes the use of the Java platform and stresses its importance in developing and deploying secure applications and services.

    What This Book Is Not

    While this book is heavily based on Java technologies, we do not describe the specific Java APIs intended for basic J2EE application development (e.g., JSPs, Servlets, and EJB). If you wish to learn the individual API technologies, we highly recommend the J2EE blueprints, tutorials, and recommended books on the official Java home page at http://java.sun.com.

    We use UML diagrams to document the patterns and implementation strategies. If you wish to learn the UML basics, please refer to The Unified Modeling Language User Guide by Grady Booch, James Rumbaugh, and Ivar Jacobson (Addison-Wesley, 1999).

    Who Should Read This Book?

    This book is meant for all security enthusiasts, architects, Java developers, and technical project managers who are involved with securing information systems and business applications. The book is also valuable for those who wish to learn basic security concepts and technologies related to Java applications, Web Services, Identity Management, Service Provisioning, and Personal Identification using Smart Cards and Biometrics.

    The book presumes that the reader has a basic conceptual knowledge of development and deployment of business applications using Java. We have attempted to write this book as an introduction to all security mechanisms used in the design, architecture, and development of applications using the Java platform. We intended our use of the methodology, patterns, best practices, and pitfalls to be an invaluable resource for answering the real-world IT security problems that software architects and developers face every day.

    Most of us no longer have time to read a software development book from cover to cover. Therefore, we have broken this book into different technology parts; the book may thus be read in almost in any sequence according to the reader's specific interests.

    How This Book Is Organized

    The content of this book is organized into seven parts:

    Part I: Introduction

    Part I introduces the current state of the industry, business challenges, and various application security issues and strategies. It then presents the basics of security.

    Chapter 1: Security by Default

    This first chapter describes current business challenges, the weakest links of security, and critical application flaws and exploits. It introduces the security design strategies, concepts of patterns-driven security development, best practices, and reality checks. It also highlights the importance of security compliance, Identity Management, the Java platform, and Personal Identification technologies such as Smart Cards and Biometrics. In addition, this chapter presents security from a business perspective and offers recommendations for making a case for security as a business enabler that delivers specific benefits.

    Chapter 2: Basics of Security

    This chapter introduces the fundamentals of security, including the background and guiding principles of various security technologies. It also provides a high-level introduction to securing applications by using popular cryptographic techniques. In addition, it discusses basic concepts about the role of directory services and identity management in security.

    Part II: Java Security Architecture and Technologies

    Part II provides in-depth coverage and demonstration of security practices using J2SE, J2EE, J2ME, and Java Card technologies. It delves into the intricate details of Java platform security architecture and its contribution to the end-to-end security of Java-based application solutions.

    Chapter 3: The Java 2 Platform Security

    This chapter explores the inherent security features of the various Java platforms and the enabling of Java security in stand-alone Java applications, applets, Java Web start (JNLP) applications, J2ME MIDlets, and Java Card applets. It also explores how to use Java security management tools to manage keys and certificates. This chapter also discusses the importance of applying Java code obfuscation techniques.

    Chapter 4: Java Extensible Security Architecture and APIs

    This chapter provides an in-depth discussion of the Java extensible security architecture and its API framework as well as how to utilize those API implementations for building end-to-end security in Java-based application solutions. In particular, the chapter illustrates how to use Java security APIs for applying cryptographic mechanisms and public-key infrastructure, how to secure application communica*tion, and how to plug in third-party security providers in Java-based applications.

    Chapter 5: J2EE Security Architecture

    This chapter explains the J2EE security architecture and mechanisms and then illustrates how to apply them in the different application tiers and components. It features in-depth coverage of the J2EE security mechanisms applied to Web components (JSPs, Servlets, and JSFs), business components (EJBs), and integration components (JMS, JDBC, and J2EE connectors). This chapter also highlights J2EE-based Web services security and relevant technologies. In addition, it illustrates the different architectural options for designing a DMZ network topology that delivers security to J2EE applications in production.

    Part III: Web Services Security and Identity Management

    Part III concentrates on the industry-standard initiatives and technologies used to enable Web services security and identity management.

    Chapter 6: Web Services Security--Standards and Technologies

    This chapter explains the Web services architecture, its core building blocks, common Web services security threats and vulnerabilities, Web services security requirements and Web services security standards and technologies. It provides in-depth details about how to represent XML-based security using industry-standard initiatives such as XML Signature, XML Encryption, XKMS, WS-Security, SAML Profile, REL Profile and WS-I Basic Security Profile. In addition, this chapter also introduces the Java-based Web services infrastructure providers and XML-aware security appliances that facilitate support for enabling security in Web services.

    Chapter 7: Identity Management--Standards and Technologies

    This chapter provides an in-depth look at the standards and technologies essential for managing identity information. It highlights the identity management challenges and then introduces the architectural models for implementing standards-based identity management. It illustrates how to represent XML standards such as SAML, XACML and Liberty Alliance (ID-*) specifications for enabling federated identity management and identity-enabled services.

    Part IV: Security Design Methodology, Patterns, and Reality Checks

    Part IV describes a security design methodology and introduces a patterns-driven security design approach that can be adopted as part of a software design and development process.

    Chapter 8: The Alchemy of Security Design-Security Methodology, Patterns, and Reality Checks

    This chapter begins with a high-level discussion about the importance of using a security design methodology and then details a security design process for identifying and applying security practices throughout the software life cycle including architecture, design, development, deployment, production, and retirement. The chapter describes various roles and responsibilities and explains core security analysis processes required for the analysis of risks, trade-offs, effects, factors, tier options, threat profiling, and trust modeling. This chapter also introduces the security design patterns catalog and security assessment checklists that can be applied during application development to address security requirements or provide solutions.

    Part V: Design Strategies and Best Practices

    Part V presents the security patterns, strategies, and best practices categorized specific to J2EE application tiers, Web services, Identity Management, and Service Provisioning.

    Chapter 9: Securing the Web Tier--Design Strategies and Best Practices

    This chapter presents seven security patterns that pertain to designing and deploying J2EE Web-tier and presentation components such as JSPs, servlets, and other related components. Each pattern addresses a common problem associated with the Web-tier or presentation logic and describes a design solution illustrating numerous implementation strategies. It describes the results of using the pattern, highlights security factors and their associated risks when using the pattern, and demonstrates verification of pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices for securing J2EE Web components and Web-based applications.

    Chapter 10: Securing the Business Tier--Design Strategies and Best Practices

    This chapter presents seven security patterns that pertain to designing and deploying J2EE Business-tier components such as EJBs, JMS, and other related components. Each pattern addresses a set of security problems associated with the Business tier and describes a design solution illustrating numerous implementation strategies along with the results of using the pattern. It highlights security factors and associated risks of using the Business-tier security pattern and finally verifies pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices and pitfalls in securing J2EE business components.

    Chapter 11: Securing Web Services--Design Strategies and Best Practices

    This chapter presents three security patterns that pertain to designing and deploying Web services. The chapter begins with a discussion of the Web services security infrastructure and key components that contribute to security. Then it describes each pattern, addresses the security problems associated with Web services, and describes a design solution illustrating numerous implementation strategies and consequences of using the Web services pattern. It also highlights security factors and associated risks using the pattern and verifies pattern applicability using reality checks. Finally, the chapter provides a comprehensive list of best practices and pitfalls in securing Web services.

    Chapter 12: Securing the Identity-Design Strategies and Best Practices

    This chapter presents three security patterns that pertain to Identity Management. Each pattern addresses an Identity Management-specific issue, describes a design solution illustrating implementation strategies, presents the results of using the pattern, and then highlights security factors and associated risks using the pattern. Finally, the chapter verifies pattern applicability using reality checks. It also provides a comprehensive list of best practices in Identity Management.

    Chapter 13: Secure Service Provisioning--Design Strategies and Best Practices

    This chapter begins with a high-level discussion of business challenges, the scope of Service Provisioning, and the relationship of Service Provisioning to Identity Management. Then it details the process for user account provisioning and discusses various architecture and application scenarios. It presents a security pattern that applies to user account provisioning and illustrates implementation strategies and the results of using the pattern. Then it highlights security factors and associated risks involved with using the pattern and verify pattern applicability using reality checks. This chapter also introduces SPML and its relevance in Service Provisioning. Finally, the chapter provides a comprehensive list of best practices for Service Provisioning.

    Part VI: Putting It All Together

    Part VI presents a case study that illustrates a real-world security implementation scenario and describes how to put the security design process to work using the patterns and best practices.

    Chapter 14: Building an End-to-End Security Architecture--Case Study

    This chapter uses a real-world example of a Web portal that shows how to define and implement an end-to-end security solution using the security design methodology, design patterns, and best practices introduced in this book. The chapter walks through the security design process, illustrating how to analyze and identify risks, how to balance trade-offs, how to identify and apply security patterns, and how to perform factor analysis, tier analysis, threat profiling, and reality checks.

    The chapter also provides details about how to adopt a patterns-driven security design process, the pertinent do's and don'ts, and describes how to align security in different logical tiers together to deliver end-to-end security.

    Part VII: Personal Identification Using Smart Cards and Biometrics

    Part VII provides in-depth coverage on Personal Identification using Smart Cards and Biometrics. It delves into the enabling technologies, architecture, implementation strategies of using Smart Cards, Biometrics and combination of both.

    Chapter 15: Secure Personal Identification Using Smart Cards and Biometrics

    This chapter explores the concepts, technologies, architectural strategies, and best practices for implementing secure Personal Identification and authentication using Smart Cards and Biometrics. The chapter begins with a discussion of the importance of converging physical and logical access control and the role of using Smart Cards and Biometrics in Personal Identification. This chapter illustrates the architecture and implementation strategies for enabling Smart Cards and Biometrics-based authentication in J2EE-based enterprise applications, UNIX, and Windows environments as well as how to combine these in multifactor authentication. Finally, the chapter provides a comprehensive list of best practices for using Smart Cards and Biometrics in secure Personal Identification.

    Companion Web Site

    The official companion Web site for this book is www.coresecuritypatterns.com. All example illustrations found within this book can be downloaded from that site. The site will also include errata, changes, updates, and additional reading recommendations and references.

    The Prentice Hall Web site for this book is http://www.phptr.com/title/ 0131463071.

    Feedback

    The authors would like to receive reader feedback, so we encourage you to post questions using the discussion forum linked to the Web site. You can also contact the authors at their prospective email addresses. Contact information can be found at www.coresecuritypatterns.com. The Web site also includes a reader's forum for public subscription and participation. Readers may also post their questions, share their views, and discuss related topics.

    Welcome to Core Security Patterns. We hope you enjoy reading this book as much as we enjoyed writing it. We trust that you will be able to adopt the theory, concepts, techniques, and approaches that we have discussed as you design, deploy, and upgrade the security of your IT systems--and keep those systems immune from all security risks and vulnerabilities in the future.

    --Chris, Ramesh, and Ray

    www.coresecuritypatterns.com

    0131463071P09272005

    Customer Reviews

    Most Helpful Customer Reviews

    See All Customer Reviews