Domain: landsend.com
Stories and comments across the archive that link to landsend.com.
Stories · 4
-
J2EE Security
Simon P. Chappell writes "Security is not just for the paranoid anymore. There is plenty of documented evidence to show that there are people that are out to get you (and your information). Sun's J2EE framework brings a work-chest with many powerful tools in it, but with power there is always complexity, and many of these tools, especially the security-oriented tools, are under-used because of this. Pankaj Kumar's book J2EE Security is a guide to using these tools when building security into your Servlets, EJBs, web services and web applications." Read on for the rest of Chappell's review. J2EE Security for Servlets, EJBs, and Web Services author Pankaj Kumar pages 426 (12 page index) publisher Prentice Hall rating 9 reviewer Simon P. Chappell ISBN 0131402641 summary A great combination of security primer and cookbook. What is J2EE Security? J2EE Security covers a very wide range of techniques and mechanisms: Access control based on permissions and authentication of identity; encryption of data passing in or out of an application; and validation of presented credentials. These are the big things: needless to say, there are levels of detail below each of these three. What do I know about J2EE Security? More than I did when I started reading this book! In my experience, security is either bolted on at the last minute or badly implemented using home-grown techniques. As one who has seen or tried both of these approaches, I was determined to seek out the better way, so when the chance to review this book came along I jumped at it. Overview The first section, with chapter one and two, is "The Background." Chapter one is a security primer and should be old hat to most of the readership of Slashdot. Chapter two is a tour of the Java language strictly from a security perspective. This is interesting and very informative, even for a long-time Java programmer like me.The second section is "The Technology," and includes chapters three through seven. Chapter three is a discussion of cryptography with Java and would have been worth the price of the whole book for me if (I hadn't have gotten it for free as a review copy)! :-) Chapter four covers PKI (Public Key Infrastructure) with Java. Managing certificates is explained as well as the steps necessary to issue and revoke your own. Chapter five is a discussion of access control. Access control in Java is available based on the origin of the code (the applet effect), the signer of the code or the logged-in user. Chapter six concerns securing the wire. This is the use of encryption for the transmission channel, SSL in a web browser being the most obvious example, where everything served over HTTPS is encrypted. Chapter seven secures the message. This covers message encryption for those times in life where you have to use a non-encrypted transfer medium as well as techniques for authentication, so that the message you do send can be guaranteed to be authentic and provably from you.
The third section is "The Application." Chapter eight discusses the security aspects of RMI based applications, especially using the Java security managers. Chapter nine reviews web application security using both declarative and programmatic security, giving examples using Apache Tomcat.Chapter ten discusses EJB security, including JNDI-based client authentication, SSL and declarative access control. Chapter eleven talks about the security issues associated with web services using the Apache Axis tool to illustrate the points. Chapter twelve is a wrap up of the whole book.
What's To Like The book is logically divided into chapters on each of the main aspects of security that apply to J2EE. These chapters are then located within three sections: background, technology and application. This sequence worked nicely for me, each chapter getting more detailed. This way I knew how deep I was by how far into the book I'd gotten.The main thing that struck me about this book was that it was designed to be practical. Mr. Kumar not only explains his point and gives you example source code, but he has written a freely available security toolkit, to demonstrate each of the points he makes. The Java Security Tool Kit (JSTK) is a very nice addition to the book's text. Being able to try out the concept being explained really helps. This approach takes example code to another level and I hope other authors will take note.
What's To Consider There is almost nothing to nit-pick concerning the book, but I do have one complaint about the JSTK software. The supplied shell scripts in the bin directory all had MS-DOS end-of-lines. This prevented them running unmodified on my OS X iBook. I had to remove all of the ^M's. This may also be a problem under Linux, but I have not had an opportunity to test there yet. Once the end-of-line problem was fixed, the software worked like a charm. Summary A great combination of security primer and cookbook. If you're a serious crypto-freak then you probably don't need this book. If you're a regular Java programmer looking to move to the next level in your understanding and practice of security in your J2EE applications, then this is an excellent book to purchase and learn from. Table Of Contents1. A Security Primer
2. A Quick Tour of the Java Platform
3. Cryptography with Java
4. PKI with Java
5. Access Control
6. Securing the Wire
7. Securing the Message
8. RMI Security
9. Web Application Security
10. EJB Security
11. Web Service Security
12. Conclusions
Appendix A: Public Key Cryptography Standards
Appendix B: Standard Names - Java Cryptographic Services
Appendix C: JSTK Tools
Appendix D: Example Programs
Appendix E: Products Used For Examples Appendix F: Standardization Bodies
Simon P. Chappel would like Tim O'Reilly to call him to discuss the great Java book he's itching to write. You can purchase J2EE Security from bn.com. Slashdot welcomes readers' book reviews -- to submit a review for consideration, read the book review guidelines, then visit the submission page. -
Java Frameworks and Components
Simon P. Chappell writes "Life is busy enough without writing your own infrastructure code. With all of the high-quality frameworks available today, it's no longer necessary to even think about writing low-level code (except as a technical exercise, or to express your inner geek :-) Our problem today, is to review and select the best available framework for our needs. This is a non-trivial task, but help is at hand with Java Frameworks and Components by Michael Nash." Read on for the rest of Chappell's review. Java Frameworks and Components: Accelerate Your Web Application Development author Michael Nash pages 477 (14 page index) publisher Cambridge University Press rating 9 reviewer Simon P. Chappell ISBN 0521520592 summary A tour de force! With only one quibble, this is the definitive work on Web Application Frameworks. Overview This book is a superb exploration of the current state of the web application development framework market. Both commercial and open-source/free frameworks are examined in detail.The book works through a logical progression, starting with a discussion of what a framework is (and, of course, what it isn't) before moving on to an examination of the benefits that they bring to development efforts. The meat of the book is in the next couple of chapters where a framework (no pun intended) is explored to select and compare frameworks. A list of current frameworks is given, each being described, with strengths and weaknesses highlighted.
The trailing chapters cover aspects of development that are affected by the use of frameworks, including the obvious ones like IDE support and methodologies.
What's To Like The aspect that most impressed me was the depth of research that has obviously gone into this book. I think most of us know that frameworks are good, and a reasonable number of us could list several reasons why they are good, but I suspect that very few of us could generate such a comprehensive and cogent rationale for using a framework.The information density in this book is quite high. Normally, I read technical books quite quickly, but this one took a while, because every good point prompted much thought and consideration. This was impressive to me after seeing so many books coming to the market that have simplification as their rationale for existence. The selection of an appropriate framework for web application development is not a simple task and this book takes it very seriously.
While non-free frameworks might be a non-issue for some of the Slashdot crowd, those of us working in corporate I.S. have to be very aware of the differences and our local management's attitudes concerning it. The book does come out strongly in favour of open-source and free software, but does not let this bind the discussion in any way. Commercial and free software are judged equally and fairly throughout.
Pragmatic is a much over-used word these days, but I would describe this book as pragmatic. The advice given concerning framework selection, urged people to consider many factors, including existing frameworks used in-house, the type of project, the degree of accordance between the services provided by the framework and the requirements for the system being written. I have seen many a framework selected because it was buzzword compliant, so this advice was a refreshing change.
What's To ConsiderAfter enjoying the book, to reach the case studies and be disappointed was, well, disappointing. The case studies seemed rushed and lacking in substance. The idea of comparing and contrasting the four leading frameworks to solve the same problem was a good one, but somehow it didn't quite come off. The Struts case study got to me the most: I have conniptions everytime I see business logic in actions! Perhaps the case studies could be dropped in a future edition?
SummaryA tour de force! With only one quibble, this is the definitive work on Web application frameworks.
Table Of Contents1. Components and Application Frameworks
2. Components: The Future of Web-Application Development
3. Application Frameworks: What Do They Provide and What Are the Benefits?
4. Choosing an Application Framework
5. A Catalog of Application Frameworks
6. Comparing Frameworks
7. Open Source and Components/Frameworks
8. Development Methodologies and Design Patterns
9. Integrated Development Environments
10. Strategies for Using Frameworks: Best Practices
11. Conclusions: The Future of Frameworks and Components
Appendix. Case Studies
You can purchase Java Frameworks and Components: Accelerate Your Web Application Development from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Code Generation in Action
Simon P. Chappell writes "Now, I enjoy a good technical book more than the next geek, but it's been quite a while since one left me quite so excited with the possibilities that it presented. Code Generation in Action is beyond interesting, it is a masterful tome on its subject matter, written by one who is obviously an experienced practicioner in his craft." If "code generation" isn't a familiar term to you, this enthusiastic overview on devx.com is a concise introduction to what code generation is about, though it makes no pretense of ambivalence about its importance as a programming tool. Read on for the rest of Chappell's review. Code Generation in Action author Jack Herrington pages 342 (10 page index) publisher Manning rating 9 reviewer Simon P. Chappell ISBN 1930110979 summary A masterful tome.
Overview Code Generation in Action, CGiA to its friends, is presented in two parts. The first part is four chapters, and covers a code generation case-study, the basic principles of code generation, including the different types of code generation strategies together with reasons why you would or would not use each strategy. The book's chosen toolset for building generators is presented next, and then some walk-through examples of building simple generators wraps up the first part.The second part is a kind of a cross between a cookbook and a list of engineering solutions. There are nine chapters with the breadth of solutions covered being quite impressive, covering the gamut of generation of user interfaces, documentation, unit tests and data access code. Each chapter presents a couple of solutions within its topic area, often for different technologies within that topic. For example, the user interface chapter covers the generation of Java ServerPages, Swing dialog boxes and then Microsoft MFC dialog boxes. No favouritism here!
What's To Like There's a lot to like with this book. The writing is very clear and of good prose. I found the introduction to be very compelling, and I felt completely drawn in by the opening case-study. The four chapters of part one are a concise case for code generation, and would be very useful information to help persuade co-workers and management of the positive risk/benefit ratio with trying code-generation on a live project.It would be impossible to try enough of any solution from part two in a time-frame short enough to make this review useful, but in the solutions that match my areas of knowledge, I found myself admiring Herrington's straight-forward and pragmatic approach.
What's To Consider There are two aspects of this book that I want to flag. One of these aspects, some will love and others will hate, and that is the choice of generator language for CGiA. The author has chosen to use Ruby as his working language. This is an interesting choice. Ruby is certainly a language that is inspiring a lot of admiration these days (in fact, it's hard to get Dave Thomas to stop talking about it :-), but with the majority of the code-generation examples being for Java-related technologies, I wonder why Java was not selected instead.I also found myself wondering about the lack of discussion of how to integrate these Ruby tools into a typical Java build process. Many developers I know use ant to bring automation and consistency to their builds, yet the book doesn't mention this. (JRuby anyone?) Certainly something to consider for the second edition or future code-generation authors.
SummaryThis is a masterful tome that inspires and delights, although the two issues raised above did cost it a perfect score of ten.
Table Of Contents- Code generation fundamentals
- Overview
- Code generation basics
- Code generation tools
- Building simple generators
- Code generation solutions
- Generating user interfaces
- Generating documentation
- Generating unit tests
- Embedding SQL with generators
- Handling data
- Creating database access generators
- Generating web services layers
- Generating business logic
- More generator ideas
You can purchase Code Generation in Action from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Struts Kick Start
Simon P. Chappell writes "I started learning how to use the Struts framework in late in 2001, after I became fed-up with hacking web applications together with the digital equivalent of "Duct-tape Engineering". At that time there were no books available for the budding Struts developer, "Read The Fine Manual" was not an option ... you read the website, you read the code or you asked questions on the mailing list. This situation finally changed this fall with the release of a flurry of titles dedicated to Struts. I present here my thoughts on one of the latest: "Struts Kick Start". The rest of Simon's review follows. Struts Kick Start author James Turner and Kevin Bedell pages 481 (29 page index) publisher Sams rating 9 reviewer Simon P. Chappell ISBN 0672324725 summary You need this book
What is Struts?Struts is a framework for developing web applications. It is a distilation of the current set of known best practices into a working code set that can be extended to meet almost any web application requirements. It part of the Jakarta Project at the Apache Software Foundation.
What do I know about Struts? I have been developing web applications, using Java, for four years and using struts for over a year, and am a regular participant on the Struts mailing list. I was also a technical reviewer for one of the other Struts Books released this fall and was recently invited to speak at the University of Wisconsin, Eau Claire on the use of Struts.
What's good about this book? There are many excellent things that I could point to. I particularly like the obvious depth of research that accompanies this book. There is a very interesting history of the development of the MVC design pattern and they even name the inventor. Do you know who invented MVC? If you want to know, buy the book! The chapters cover everything that you will need to know, in the order you are most likely to need to know it. There's even a chapter explaining the "struts-config.xml" file's DTD! (You may want to skip that on the first few readings :-)There is good coverage of the Struts taglibs. I see a lot of questions about these on the mailing lists, so this information is very timely and it looks very well explained.
I like the coverage of other open source tools that work well with Struts. This is an important point because Struts does not do everything for you (by design), so there will be areas that will benefit from other tools. I'm looking forward to trying out some of their recommendations and easing my own Struts development lifecycles.
What's not so good? Just one niggle, and it's more of a programming style issue, but in their example code they have references to their business objects. They explain that it is important to separate out business logic from action logic, which it is, but then proceed to use their business object within the action.Now, I realise that example code is not the same thing as robust, production-ready code, but when people are first learning a language or framework, they tend to copy exactly what they see in the book they are learning from. Even though example code should be light on error checking, it should be heavy on correctness and good style.
Should you rush out and buy it? If you are about to use Struts on a project, are new to Struts and need dead tree documentation for those RTFM moments or are evaluating Struts for future projects, then you absolutely need this book.If you are an intermediate Struts user, then this book would still be very useful to you and I can certainly recommend it.
If you are an experienced Struts user, then you've almost certainly exchanged emails with James or Kevin, on the Struts mailing list, so you can make your own mind up!
Table of Contents- Struts in Context
- The Model-View-Controller Design Pattern
- Hello World!
- HTTP Protocol
- JSP, Taglibs and JSTL
- The Sample Application
- View Components
- The Controller
- Model Components
- The struts-config.xml File
- How the Struts Tag Libraries Work
- Struts HTML Tags
- Struts Bean Tags
- Struts Logic Tags
- The Nested and Template Struts Tag Libraries
- The Struts Tiles Tag Library
- DynaForms and the Validator
- Using Struts with Enterprise Java Beans
- Using Struts with Web Services
- Building, Deploying and Testing Struts Applications
You can purchase Struts Kick Start from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.