As a registered member of SearchSoftwareQuality.com, you're entitled to a complimentary copy of Chapter 8 of Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management written by Christopher Steel, Ramesh Nagappan, and Ray Lai and published by Prentice Hall.
Core Security Patterns is the hands-on practitioners guide to building robust end-to-end security into J2EE enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today's best practices for security in large-scale, industrial-strength applications. The authors explain the fundamentals of Java application security from the ground up. They then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and 23 proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using smart cards and biometrics. Core Security Patterns covers all of the following and more:
- What works and what doesn't: J2EE application-security best practices, and common pitfalls to avoid.
- Implementing key Java platform security features in real-world applications.
- Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile.
- Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML.
- Designing secure personal identification solutions using smart cards and biometrics.
- Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists.
- End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications.
>> Buy the book
This was first published in January 2006