Slashdot Mirror

← Back to Stories (view on slashdot.org)

J2EE Security

Posted by timothy on from the locking-things-down dept.

Simon P. Chappell writes "Security is not just for the paranoid anymore. There is plenty of documented evidence to show that there are people that are out to get you (and your information). Sun's J2EE framework brings a work-chest with many powerful tools in it, but with power there is always complexity, and many of these tools, especially the security-oriented tools, are under-used because of this. Pankaj Kumar's book J2EE Security is a guide to using these tools when building security into your Servlets, EJBs, web services and web applications." Read on for the rest of Chappell's review. J2EE Security for Servlets, EJBs, and Web Services author Pankaj Kumar pages 426 (12 page index) publisher Prentice Hall rating 9 reviewer Simon P. Chappell ISBN 0131402641 summary A great combination of security primer and cookbook. What is J2EE Security? J2EE Security covers a very wide range of techniques and mechanisms: Access control based on permissions and authentication of identity; encryption of data passing in or out of an application; and validation of presented credentials. These are the big things: needless to say, there are levels of detail below each of these three. What do I know about J2EE Security? More than I did when I started reading this book! In my experience, security is either bolted on at the last minute or badly implemented using home-grown techniques. As one who has seen or tried both of these approaches, I was determined to seek out the better way, so when the chance to review this book came along I jumped at it. Overview The first section, with chapter one and two, is "The Background." Chapter one is a security primer and should be old hat to most of the readership of Slashdot. Chapter two is a tour of the Java language strictly from a security perspective. This is interesting and very informative, even for a long-time Java programmer like me.

The second section is "The Technology," and includes chapters three through seven. Chapter three is a discussion of cryptography with Java and would have been worth the price of the whole book for me if (I hadn't have gotten it for free as a review copy)! :-) Chapter four covers PKI (Public Key Infrastructure) with Java. Managing certificates is explained as well as the steps necessary to issue and revoke your own. Chapter five is a discussion of access control. Access control in Java is available based on the origin of the code (the applet effect), the signer of the code or the logged-in user. Chapter six concerns securing the wire. This is the use of encryption for the transmission channel, SSL in a web browser being the most obvious example, where everything served over HTTPS is encrypted. Chapter seven secures the message. This covers message encryption for those times in life where you have to use a non-encrypted transfer medium as well as techniques for authentication, so that the message you do send can be guaranteed to be authentic and provably from you.

The third section is "The Application." Chapter eight discusses the security aspects of RMI based applications, especially using the Java security managers. Chapter nine reviews web application security using both declarative and programmatic security, giving examples using Apache Tomcat.Chapter ten discusses EJB security, including JNDI-based client authentication, SSL and declarative access control. Chapter eleven talks about the security issues associated with web services using the Apache Axis tool to illustrate the points. Chapter twelve is a wrap up of the whole book.

What's To Like The book is logically divided into chapters on each of the main aspects of security that apply to J2EE. These chapters are then located within three sections: background, technology and application. This sequence worked nicely for me, each chapter getting more detailed. This way I knew how deep I was by how far into the book I'd gotten.

The main thing that struck me about this book was that it was designed to be practical. Mr. Kumar not only explains his point and gives you example source code, but he has written a freely available security toolkit, to demonstrate each of the points he makes. The Java Security Tool Kit (JSTK) is a very nice addition to the book's text. Being able to try out the concept being explained really helps. This approach takes example code to another level and I hope other authors will take note.

What's To Consider There is almost nothing to nit-pick concerning the book, but I do have one complaint about the JSTK software. The supplied shell scripts in the bin directory all had MS-DOS end-of-lines. This prevented them running unmodified on my OS X iBook. I had to remove all of the ^M's. This may also be a problem under Linux, but I have not had an opportunity to test there yet. Once the end-of-line problem was fixed, the software worked like a charm. Summary A great combination of security primer and cookbook. If you're a serious crypto-freak then you probably don't need this book. If you're a regular Java programmer looking to move to the next level in your understanding and practice of security in your J2EE applications, then this is an excellent book to purchase and learn from. Table Of Contents

1. A Security Primer
2. A Quick Tour of the Java Platform
3. Cryptography with Java
4. PKI with Java
5. Access Control
6. Securing the Wire
7. Securing the Message
8. RMI Security
9. Web Application Security
10. EJB Security
11. Web Service Security
12. Conclusions
Appendix A: Public Key Cryptography Standards
Appendix B: Standard Names - Java Cryptographic Services
Appendix C: JSTK Tools
Appendix D: Example Programs
Appendix E: Products Used For Examples Appendix F: Standardization Bodies

Simon P. Chappel would like Tim O'Reilly to call him to discuss the great Java book he's itching to write. You can purchase J2EE Security from bn.com. Slashdot welcomes readers' book reviews -- to submit a review for consideration, read the book review guidelines, then visit the submission page.

8 of 66 comments (clear)

  1. Someone's going to say it, dos2unix by ebuck · · Score: 5, Informative

    Although the author did a great review, it's a shame he added in a CR/LF gripe.

    For those who may be unfamiliar with file conversion issues, here's (only a few) ways to convert DOS text files.

    For Linux, there's dos2unix.
    For MacOSX, there's native2ascii (Haven't used it personally, but is reported to work)
    Also dos2unix has been ported to MacOSX, see http://www.osxgnu.org/software/Fileutils/Unix2Dos/

    And I'm not including several dozen awk scripts, perl commands, shell scripts, etc. to do the same thing.

  2. How about by Anonymous Coward · · Score: 0, Informative

    sed `s/^M$//`

  3. Sample chapter download by iksrazal_br · · Score: 5, Informative
    http://www.j2ee-security.net/book/sample-chap/

    This chapter is for Web Services Security using XML Encryption and XML digital signatures.

    iksrazal

  4. Another good book on the subject... by JohnnyCannuk · · Score: 4, Informative

    ...is "Hacking Exposed - J2EE and Java" from Osborne by Art Taylor, Brian Buege and Randy Layman. It's a really good overview of security in Java, from cryptography, code-signing, sealing jar files, byte code obfuscation etc. It runs the gambit from standalone code hacking, through the client-server tier and on to the J2EE and Web tiers. It has lots of good, reusable code samples too.

    I highly reccomend it and it's a great "how to" companion to O'Reilly's Java Security by Scott Oaks.

    --
    Never by hatred has hatred been appeased, only by kindness - the Buddha
  5. Plain text passwords in web.xml by GreggBert · · Score: 4, Informative
    The number of J2EE applications that are out there with plain text passwords (database, application and otherwise) in their web.xml is just staggering. I think that's the first place many J2EE developers need to start looking when thinking about shoring up their security holes.

    If I see one more book on server side Java that has example web.xml web app configuration files with plain text passwords, I'm going to go postal.

    --


    If you don't understand anything I post, please accept that I ate paste as a small boy...
    1. Re:Plain text passwords in web.xml by evac · · Score: 2, Informative

      It can be done. The decryption of the password should take place outside the server itself, using a physically secure encryption device such as an Atalla or Futurex box. An organization should also have solid key management policies and procedures in place (dual-control/split-knowledge/etc) to keep your master key safe - otherwise the PSD don't really add any value.

    2. Re:Plain text passwords in web.xml by ebuck · · Score: 3, Informative

      You use JAAS, and back the passwords to an authenticating service.

      Depending on your choice, the authenticating service can be: /etc/passwd
      a different passwd file not in /etc
      a shadow password file
      a NIS setup
      a Windows Domain controller
      a kerberos setup
      and many many more...

      JAAS is not simple to setup and it's documentation isn't written for the people who need it the most. Homebrew encryption is easy to break, so people don't bother encrypting. These factors play a big role in the number of plain text password files.

  6. Java security documentation by Anonymous Coward · · Score: 1, Informative


    http://www.cgisecurity.com/development/java.shtml