Jaworski, a professional Java developer, gives readers a practical, hands-on book that contains concise descriptions of security theory, complete secure applications, and thousands of lines of proven, real-world, commercial-quality code. Web site features security documentation and sample security policies, as well as code from the book.
One of Java's most striking claims is that it provides a secure programming environment. Yet despite endless discussion, few people understand precisely what Java's claims mean and how it backs up those claims. If you're a developer, network administrator or anyone else who must understand or work with Java's security mechanisms, Java Security is the in-depth exploration you need.Java Security, 2nd Edition, focuses on the basic platform features of Java that provide security--the class loader, the bytecode verifier, and the security manager--and recent additions to Java that enhance this security model: digital signatures, security providers, and the access controller. The book covers the security model of Java 2, Version 1.3, which is significantly different from that of Java 1.1. It has extensive coverage of the two new important security APIs: JAAS (Java Authentication and Authorization Service) and JSSE (Java Secure Sockets Extension). Java Security, 2nd Edition, will give you a clear understanding of the architecture of Java's security model and how to use that model in both programming and administration.The book is intended primarily for programmers who want to write secure Java applications. However, it is also an excellent resource for system and network administrators who are interested in Java security, particularly those who are interested in assessing the risk of using Java and need to understand how the security model works in order to assess whether or not Java meets their security needs.
* Provides practical solutions, not just principles of security. * Offers an in depth toolkit to the reader and explains how to use the tools to build a secure system. * Introduces concepts of security patterns for designing systems, as well as security building blocks for systems. * Discusses algorithms, cryptography and architecture. * Addresse security for different application servers.
This is a practical guide to building a secure enterprise infrastructure with J2SE and J2EE technologies. This text explains how J2SE and J2EE security architectures relate to each other, and also covers the security aspects of servlets, JSP and EJB.
Do you know where browser is pointing?. The Java security model. Serious holes in the security model. Malicious applets. Antidotes and guidelines for Java users. Tomorrow's Java security. Java security. Cert alerts. References. Index.
This book is a comprehensive presentation of embedded Java security. It is compared with the security model of the Java 2 Standard Edition in order to view the impact of limited resources on security. No other book specifically addresses the topic of embedded Java security. Furthermore, the book provides hints and suggestions as ways for hardening security, and offers researchers and practitioners alike a broader and deeper understanding of the issues involved in embedded Java security, and – as a larger view - mobile devices security. The author is a well-known authority and expert in mobile computing and embedded devices.
For a long time, there has been a need for a practical, down-to-earth developers book for the Java Cryptography Extension. I am very happy to see there is now a book that can answer many of the technical questions that developers, managers, and researchers have about such a critical topic. I am sure that this book will contribute greatly to the success of securing Java applications and deployments for e-business. --Anthony Nadalin, Java Security Lead Architect, IBMFor many Java developers and software engineers, cryptography is an "on-demand" programming exercise, where cryptographic concepts are shelved until the next project requires renewed focus. But considerations for cryptography must be made early on in the design process and it's imperative that developers know what kinds of solutions exist. One of Java's solutions to help bridge the gap between academic research and real-world problem solving comes in the form of a well-defined architecture for implementing cryptographic solutions. However, to use the architecture and its extensions, it is important to recognize the pros and cons of different cryptographic algorithms and to know how to implement various devices like key agreements, digital signatures, and message digests, to name a few.In Java Cryptography Extensions (JCE), cryptography is discussed at the level that developers need to know to work with the JCE and with their own applications but that doesn't overwhelm by packing in details unimportant to the busy professional. The JCE is explored using numerous code examples and instructional detail, with clearly presented sections on each aspect of the Java library. An online open-source cryptography toolkit and the code for all of the examples further reinforces the concepts covered within the book. No other resource presents so concisely or effectively the exact material needed to begin utilizing the JCE. - Written by a seasoned veteran of both cryptography and server-side programming - Covers the architecture of the JCE, symmetric ciphers, asymmetric ciphers, message digests, message authentication codes, digital signatures, and managing keys and certificates
As Java emerges as the standard platform for Internet programming, the ability to securely move its code around is imperative for application security in large-scale e-commerce and e-business sites - many of which have suffered a recent spate of hacker attacks. Security is one of the key features of the Java language architecture, giving its users confidence in downloading code across networks.
Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary. Summary While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you'll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology Security is non-negotiable. You rely on Spring applications to transmit data, verify credentials, and prevent attacks. Adopting "secure by design" principles will protect your network from data theft and unauthorized intrusions. About the book Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary. What's inside Encoding passwords and authenticating users Securing endpoints Automating security testing Setting up a standalone authorization server About the reader For experienced Java and Spring developers. About the author Laurentiu Spilca is a dedicated development lead and trainer at Endava, with over ten years of Java experience. Table of Contents PART 1 - FIRST STEPS 1 Security Today 2 Hello Spring Security PART 2 - IMPLEMENTATION 3 Managing users 4 Dealing with passwords 5 Implementing authentication 6 Hands-on: A small secured web application 7 Configuring authorization: Restricting access 8 Configuring authorization: Applying restrictions 9 Implementing filters 10 Applying CSRF protection and CORS 11 Hands-on: A separation of responsibilities 12 How does OAuth 2 work? 13 OAuth 2: Implementing the authorization server 14 OAuth 2: Implementing the resource server 15 OAuth 2: Using JWT and cryptographic signatures 16 Global method security: Pre- and postauthorizations 17 Global method security: Pre- and postfiltering 18 Hands-on: An OAuth 2 application 19 Spring Security for reactive apps 20 Spring Security testing
"In the Java world, security is not viewed as an add-on a feature. It is a pervasive way of thinking. Those who forget to think in a secure mindset end up in trouble. But just because the facilities are there doesn't mean that security is assured automatically. A set of standard practices has evolved over the years. The Secure(R) Coding(R) Standard for Java(TM) is a compendium of these practices. These are not theoretical research papers or product marketing blurbs. This is all serious, mission-critical, battle-tested, enterprise-scale stuff." --James A. Gosling, Father of the Java Programming Language An essential element of secure coding in the Java programming language is a well-documented and enforceable coding standard. Coding standards encourage programmers to follow a uniform set of rules determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). The CERT(R) Oracle(R) Secure Coding Standard for Java(TM) provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard's guidelines will lead to higher-quality systems-robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java-for devices such as PCs, game players, mobile phones, home appliances, and automotive electronics. After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present noncompliant examples and corresponding compliant solutions, show how to assess risk, and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities, and cost of remediation. The standard provides secure coding rules for the Java SE 6 Platform including the Java programming language and libraries, and also addresses new features of the Java SE 7 Platform. It describes language behaviors left to the discretion of JVM and compiler implementers, guides developers in the proper use of Java's APIs and security architecture, and considers security concerns pertaining to standard extension APIs (from the javax package hierarchy).The standard covers security issues applicable to these libraries: lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.