For Servlets, EJBs, and Web Services,
by Pankaj Kumar, ISBN 0-13-140264-1
Hall PTR, go
to the web site
PC running Windows or Linux, J2SE 1.4.x, Apache Tomcat
4.x, Apache Axis 1.x, BEA Weblogic 7.x, Apache Ant, Verisign's
TSK 1.7, Infomosaic's SecureXML
System security is something that everyone hopes
will be perfect but usually has holes to be patched.
The security holes, usually not created by original
design intent, are more than likely the consequence
of design flaws or limitations. Transmission of data
in plain text format, for example, opens the possibility
of interception by anyone on the network. Some security
holes are the actual functionality of the system,
but are exploited by hackers to their advantage.
For example, the so-called Denial of Access exploit
is the bombardment of legitimate service with noise
that normal service cannot cope with. In the current
explosion of Internet usage, the number of security
attacks is increasing in various forms.
The majority of this book is devoted to the Java
security. It discusses the handling of data using
cryptography, digital certificates, XML signature
and encryption; access to data using login mechanisms
and policy files; transmission of data using SSL,
RMI transport SSL. EJB discussion is very brief and
mostly explains only the EJB concepts. Perhaps the
EJB design is secure enough, but further discussion
of security enhancement to the common EJB design
will be helpful. The discussion of Web Services,
however, is very good.
Unlike traditional programming books, there are very few
examples printed in the book. Instead, a rich collection
of test files are organized under the source directory
of the downloaded files. The sample codes are individual
Java programs with their own main() method for separate
compilation and execution. Coupled with the descriptions
in the book, the sample files serve as useful illustrations
of the main concepts in the book. This style works very
well for this book because this is a book on special topics
for Java developers.
The meat of this book is the toolkit, called JSTK, developed
by the author. It can be downloaded from the author's web
site and comes with an open source license. The source
codes for the examples in the book are part of the JSTK
zip file. Unfortunately, the most important examples in
chapter 6 are missing in the downloaded files. Based on
the codes printed in the book, the EchoServer will not
run. I think the problem lies in the code SSLServerSocketFactory.getDefault(),
which will return null on regular systems.
Although this book is titled J2EE, its discussion is broader
and merits a recommendation to anyone who wants more information
about system security and vulnerabilities with Java solutions.
Most of the discussions are very clear and easy to follow.
Although there are tensions where source codes and scripts
are not found in the downloaded files, plus the fact that
some examples don't run, this book is still a good source
for Java security. Based on the discussions in the author's
forums, maintenance release of the source codes may be
available soon. If that happens, this book will be the
perfect reference work for Java professionals.
Letters to the Editor are welcome and occasionally abused in public. Send e-mail to: email@example.com