9780133119763

Praise for Core Security Patterns "Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patternsaddresses both aspects of security and will be a guide to developers everywhere in creating more secure applications." --Whitfield Diffie, inventor of Public-Key Cryptography "A comprehensive book on Security Patterns, which are critical for secure programming." --Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security "As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts." --Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc. "This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry." --Judy Lin, Executive Vice President, VeriSign, Inc. " Core Security Patternsprovides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side." --Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference "As a trusted advisor, this book will serve as a Java developer"s security handbook, providing applied patterns and design strategies for securing Java applications." --Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase "Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors" strong security experience, they created a must-have book for any designer/developer looking to create secure applications." --John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns Core Security Patternsis the hands-on practitioner"s guide to building robust end-to-end security into J2EE" enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today"s best practices for security in large-scale, industrial-strength applications. The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME" applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics. Core Security Patternscovers all of the following, and more: What works and what doesn"t: J2EE application-security best practices, and common pitfalls to avoid Implementing key Java platform security features in real-world applications Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML Designing secure personal identification solutions using Smart Cards and Biometrics Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications

Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's Pay.gov project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.

Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.

Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).

Foreword by Judy Lin.

Foreword by Joe Uniejewski.

Preface.

Acknowledgments.

About the Authors.

I. INTRODUCTION.

1. Security by Default.

Business Challenges Around Security

What Are the Weakest Links?

The Impact of Application Security

The Four W's

Strategies for Building Robust Security

Proactive and Reactive Security

The Importance of Security Compliance

The Importance of Identity Management

The Importance of Java Technology

Making Security a "Business Enabler"

Summary

References

2. Basics of Security.

Security Requirements and Goals

The Role of Cryptography in Security

The Role of Secure Sockets Layer (SSL)

The Importance and Role of LDAP in Security

Common Challenges in Cryptography

Threat Modeling

Identity Management

Summary

References

II. JAVA SECURITY ARCHITECTURE AND TECHNOLOGIES.

3. The Java 2 Platform Security.

Java Security Architecture

Java Applet Security

Java Web Start Security

Java Security Management Tools

J2ME Security Architecture

Java Card Security Architecture

Securing the Java Code

Summary

References

4. Java Extensible Security Architecture and APIs.

Java Extensible Security Architecture

Java Cryptography Architecture (JCA)

Java Cryptographic Extensions (JCE)

Java Certification Path API (CertPath)

Java Secure Socket Extension (JSSE)

Java Authentication and Authorization Service (JAAS)

Java Generic Secure Services API (JGSS)

Simple Authentication and Security Layer (SASL)

Summary

References

5. J2EE Security Architecture.

J2EE Architecture and Its Logical Tiers

J2EE Security Definitions

J2EE Security Infrastructure

J2EE Container-Based Security

J2EE Component/Tier-Level Security

J2EE Client Security

EJB Tier or Business Component Security

EIS Integration Tier-Overview

J2EE Architecture--Network Topology

J2EE Web Services Security-Overview

Summary

References

III. WEB SERVICES SECURITY AND IDENTITY MANAGEMENT.

6. Web Services Security--Standards and Technologies.

Web Services Architecture and Its Building Blocks

Web Services Security--Core Issues

Web Services Security Requirements

Web Services Security Standards

XML Signature

XML Encryption

XML Key Management System (XKMS)

OASIS Web Services Security (WS-Security)

WS-I Basic Security Profile

Java-Based Web Services Security Providers

XML-Aware Security Appliances

Summary

References

7. Identity Management Standards and Technologies.

Identity Management--Core Issues

Understanding Network Identity and Federated Identity

Introduction to SAML

SAML Architecture

SAML Usage Scenarios

The Role of SAML in J2EE-Based Applications and Web Services

Introduction to Liberty Alliance and Their Objectives

Liberty Alliance Architecture

Liberty Usage Scenarios

The Nirvana of Access Control and Policy Management

Introduction to XACML

XACML Data Flow and Architecture

XACML Usage Scenarios

Summary

References

IV. SECURITY DESIGN METHODOLOGY, PATTERNS, AND REALITY CHECKS.

8. The Alchemy of Security Design--Methodology, Patterns, and Reality Checks.

The Rationale

Secure UP

Security Patterns

Security Patterns for J2EE, Web Services, Identity Management, and Service Provisioning

Reality Checks

Security Testing

Adopting a Security Framework

Refactoring Security Design

Service Continuity and Recovery

Conclusion

References

V. DESIGN STRATEGIES AND BEST PRACTICES.

9. Securing the Web Tier--Design Strategies and Best Practices.

Web-Tier Security Patterns

Best Practices and Pitfalls

References

10. Securing the Business Tier--Design Strategies and Best Practices.

Security Considerations in the Business Tier

Business Tier Security Patterns

Best Practices and Pitfalls

References

11. Securing Web Services--Design Strategies and Best Practices.

Web Services Security Protocols Stack

Web Services Security Infrastructure

Web Services Security Patterns

Best Practices and Pitfalls

Best Practices

References

12. Securing the Identity--Design Strategies and Best Practices.

Identity Management Security Patterns

Best Practices and Pitfalls

References

13. Secure Service Provisioning--Design Strategies and Best Practices.

Business Challenges

User Account Provisioning Architecture

Introduction to SPML

Service Provisioning Security Pattern

Best Practices and Pitfalls

Summary

References

VI. PUTTING IT ALL TOGETHER.

14. Building End-to-End Security Architecture--A Case Study.

Overview

Use Case Scenarios

Application Architecture

Security Architecture

Design

Development

Testing

Deployment

Summary

Lessons Learned

Pitfalls

Conclusion

References

VII. PERSONAL IDENTIFICATION USING SMART CARDS AND BIOMETRICS.

15. Secure Personal Identification Strategies Using Smart Cards and Biometrics.

Physical and Logical Access Control

Enabling Technologies

Smart Card-Based Identification and Authentication

Biometric Identification and Authentication

Multi-factor Authentication Using Smart Cards and Biometrics

Best Practices and Pitfalls

References

Index.

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Amazon no longer offers textbook rentals. We do!

Core Security Patterns Best Practices and Strategies for J2EE, Web Services, and Identity Management

Core Security Patterns Best Practices and Strategies for J2EE, Web Services, and Identity Management

0133119769

Summary

Author Biography

Table of Contents

Supplemental Materials

Write a Review