J2EE Security For Servlets, EJBs, and Web Services

J2EE Security For Servlets, EJBs, and Web Services, by Pankaj Kumar, ISBN 0-13-140264-1

Reviewed by: Songmuh Jong, send e-mail
Published by: Prentice Hall PTR, go to the web site
Requires: Any PC running Windows or Linux, J2SE 1.4.x, Apache Tomcat 4.x, Apache Axis 1.x, BEA Weblogic 7.x, Apache Ant, Verisign's TSK 1.7, Infomosaic's SecureXML
MSRP: $44.95

System security is something that everyone hopes will be perfect but usually has holes to be patched. The security holes, usually not created by original design intent, are more than likely the consequence of design flaws or limitations. Transmission of data in plain text format, for example, opens the possibility of interception by anyone on the network. Some security holes are the actual functionality of the system, but are exploited by hackers to their advantage. For example, the so-called Denial of Access exploit is the bombardment of legitimate service with noise that normal service cannot cope with. In the current explosion of Internet usage, the number of security attacks is increasing in various forms.

The majority of this book is devoted to the Java security. It discusses the handling of data using cryptography, digital certificates, XML signature and encryption; access to data using login mechanisms and policy files; transmission of data using SSL, RMI transport SSL. EJB discussion is very brief and mostly explains only the EJB concepts. Perhaps the EJB design is secure enough, but further discussion of security enhancement to the common EJB design will be helpful. The discussion of Web Services, however, is very good.
<MAP NAME="boxmap-p8"><AREA SHAPE="RECT" COORDS="14, 200, 103, 207" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" ><AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/kickstartnews-20" ></MAP><img src="http://rcm-images.amazon.com/images/G/01/rcm/120x240.gif" width="120" height="240" border="0" usemap="#boxmap-p8" alt="Shop at Amazon.com">

Unlike traditional programming books, there are very few examples printed in the book. Instead, a rich collection of test files are organized under the source directory of the downloaded files. The sample codes are individual Java programs with their own main() method for separate compilation and execution. Coupled with the descriptions in the book, the sample files serve as useful illustrations of the main concepts in the book. This style works very well for this book because this is a book on special topics for Java developers.

The meat of this book is the toolkit, called JSTK, developed by the author. It can be downloaded from the author's web site and comes with an open source license. The source codes for the examples in the book are part of the JSTK zip file. Unfortunately, the most important examples in chapter 6 are missing in the downloaded files. Based on the codes printed in the book, the EchoServer will not run. I think the problem lies in the code SSLServerSocketFactory.getDefault(), which will return null on regular systems.

Although this book is titled J2EE, its discussion is broader and merits a recommendation to anyone who wants more information about system security and vulnerabilities with Java solutions. Most of the discussions are very clear and easy to follow. Although there are tensions where source codes and scripts are not found in the downloaded files, plus the fact that some examples don't run, this book is still a good source for Java security. Based on the discussions in the author's forums, maintenance release of the source codes may be available soon. If that happens, this book will be the perfect reference work for Java professionals.

Letters to the Editor are welcome and occasionally abused in public. Send e-mail to: whine@kickstartnews.com