Christopher Steel, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the U.S. Treasury's Pay.gov project. He has over fifteen years experience in distributed enterprise computing with a strong focus on application security, patterns, and methodologies. He presents regularly at local and industry conferences on security-related topics.
Ramesh Nagappan is a Java Technology Architect at Sun Microsystems. With extensive industry experience, he specializes in Java distributed computing and security architectures for mission-critical applications. Previously he coauthored three best-selling books on J2EE, EAI, and Web Services. He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.
Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinational companies ranging from HSBC and Visa to American Express and DHL. He is author of J2EE Platform Web Services (Prentice Hall, 2004).
Foreword by Judy Lin.
Foreword by Joe Uniejewski.
Preface.
Acknowledgments.
About the Authors.
I. INTRODUCTION.
1. Security by Default.
Business Challenges Around Security
What Are the Weakest Links?
The Impact of Application Security
The Four W's
Strategies for Building Robust Security
Proactive and Reactive Security
The Importance of Security Compliance
The Importance of Identity Management
The Importance of Java Technology
Making Security a "Business Enabler"
Summary
References
2. Basics of Security.
Security Requirements and Goals
The Role of Cryptography in Security
The Role of Secure Sockets Layer (SSL)
The Importance and Role of LDAP in Security
Common Challenges in Cryptography
Threat Modeling
Identity Management
Summary
References
II. JAVA SECURITY ARCHITECTURE AND TECHNOLOGIES.
3. The Java 2 Platform Security.
Java Security Architecture
Java Applet Security
Java Web Start Security
Java Security Management Tools
J2ME Security Architecture
Java Card Security Architecture
Securing the Java Code
Summary
References
4. Java Extensible Security Architecture and APIs.
Java Extensible Security Architecture
Java Cryptography Architecture (JCA)
Java Cryptographic Extensions (JCE)
Java Certification Path API (CertPath)
Java Secure Socket Extension (JSSE)
Java Authentication and Authorization Service (JAAS)
Java Generic Secure Services API (JGSS)
Simple Authentication and Security Layer (SASL)
Summary
References
5. J2EE Security Architecture.
J2EE Architecture and Its Logical Tiers
J2EE Security Definitions
J2EE Security Infrastructure
J2EE Container-Based Security
J2EE Component/Tier-Level Security
J2EE Client Security
EJB Tier or Business Component Security
EIS Integration Tier-Overview
J2EE Architecture--Network Topology
J2EE Web Services Security-Overview
Summary
References
III. WEB SERVICES SECURITY AND IDENTITY MANAGEMENT.
6. Web Services Security--Standards and Technologies.
Web Services Architecture and Its Building Blocks
Web Services Security--Core Issues
Web Services Security Requirements
Web Services Security Standards
XML Signature
XML Encryption
XML Key Management System (XKMS)
OASIS Web Services Security (WS-Security)
WS-I Basic Security Profile
Java-Based Web Services Security Providers
XML-Aware Security Appliances
Summary
References
7. Identity Management Standards and Technologies.
Identity Management--Core Issues
Understanding Network Identity and Federated Identity
Introduction to SAML
SAML Architecture
SAML Usage Scenarios
The Role of SAML in J2EE-Based Applications and Web Services
Introduction to Liberty Alliance and Their Objectives
Liberty Alliance Architecture
Liberty Usage Scenarios
The Nirvana of Access Control and Policy Management
Introduction to XACML
XACML Data Flow and Architecture
XACML Usage Scenarios
Summary
References
IV. SECURITY DESIGN METHODOLOGY, PATTERNS, AND REALITY CHECKS.
8. The Alchemy of Security Design--Methodology, Patterns, and Reality Checks.
The Rationale
Secure UP
Security Patterns
Security Patterns for J2EE, Web Services, Identity Management, and Service Provisioning
Reality Checks
Security Testing
Adopting a Security Framework
Refactoring Security Design
Service Continuity and Recovery
Conclusion
References
V. DESIGN STRATEGIES AND BEST PRACTICES.
9. Securing the Web Tier--Design Strategies and Best Practices.
Web-Tier Security Patterns
Best Practices and Pitfalls
References
10. Securing the Business Tier--Design Strategies and Best Practices.
Security Considerations in the Business Tier
Business Tier Security Patterns
Best Practices and Pitfalls
References
11. Securing Web Services--Design Strategies and Best Practices.
Web Services Security Protocols Stack
Web Services Security Infrastructure
Web Services Security Patterns
Best Practices and Pitfalls
Best Practices
References
12. Securing the Identity--Design Strategies and Best Practices.
Identity Management Security Patterns
Best Practices and Pitfalls
References
13. Secure Service Provisioning--Design Strategies and Best Practices.
Business Challenges
User Account Provisioning Architecture
Introduction to SPML
Service Provisioning Security Pattern
Best Practices and Pitfalls
Summary
References
VI. PUTTING IT ALL TOGETHER.
14. Building End-to-End Security Architecture--A Case Study.
Overview
Use Case Scenarios
Application Architecture
Security Architecture
Design
Development
Testing
Deployment
Summary
Lessons Learned
Pitfalls
Conclusion
References
VII. PERSONAL IDENTIFICATION USING SMART CARDS AND BIOMETRICS.
15. Secure Personal Identification Strategies Using Smart Cards and Biometrics.
Physical and Logical Access Control
Enabling Technologies
Smart Card-Based Identification and Authentication
Biometric Identification and Authentication
Multi-factor Authentication Using Smart Cards and Biometrics
Best Practices and Pitfalls
References
Index.
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.