- ホーム
- > 洋書
- > 英文書
- > Computer / Languages
Full Description
Praise for Core Security PatternsJava provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.--Whitfield Diffie, inventor of Public-Key CryptographyA comprehensive book on Security Patterns, which are critical for secure programming.--Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform SecurityAs developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts.--Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry.--Judy Lin, Executive Vice President, VeriSign, Inc.Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side.--Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket ReferenceAs a trusted advisor, this book will serve as a Java developers security handbook, providing applied patterns and design strategies for securing Java applications.--Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan ChaseLike Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.--John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE PatternsCore Security Patterns is the hands-on practitioners guide to building robust end-to-end security into J2EE (TM) enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects todays best practices for security in large-scale, industrial-strength applications. The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME (TM) applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics.Core Security Patterns covers all of the following, and more:What works and what doesnt: J2EE application-security best practices, and common pitfalls to avoidImplementing key Java platform security features in real-world applicationsEstablishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profileDesigning identity management and service provisioning systems using SAML, Liberty, XACML, and SPMLDesigning secure personal identification solutions using Smart Cards and BiometricsSecurity design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklistsEnd-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications
Contents
Foreword by Judy Lin.Foreword by Joe Uniejewski.Preface.Acknowledgments.About the Authors.I. INTRODUCTION.1. Security by Default.Business Challenges Around SecurityWhat Are the Weakest Links?The Impact of Application SecurityThe Four W'sStrategies for Building Robust SecurityProactive and Reactive SecurityThe Importance of Security ComplianceThe Importance of Identity ManagementThe Importance of Java TechnologyMaking Security a "Business Enabler"SummaryReferences2. Basics of Security.Security Requirements and GoalsThe Role of Cryptography in SecurityThe Role of Secure Sockets Layer (SSL)The Importance and Role of LDAP in SecurityCommon Challenges in CryptographyThreat ModelingIdentity ManagementSummaryReferencesII. JAVA SECURITY ARCHITECTURE AND TECHNOLOGIES.3. The Java 2 Platform Security.Java Security ArchitectureJava Applet SecurityJava Web Start SecurityJava Security Management ToolsJ2ME Security ArchitectureJava Card Security ArchitectureSecuring the Java CodeSummaryReferences4. Java Extensible Security Architecture and APIs.Java Extensible Security ArchitectureJava Cryptography Architecture (JCA)Java Cryptographic Extensions (JCE)Java Certification Path API (CertPath)Java Secure Socket Extension (JSSE)Java Authentication and Authorization Service (JAAS)Java Generic Secure Services API (JGSS)Simple Authentication and Security Layer (SASL)SummaryReferences5. J2EE Security Architecture.J2EE Architecture and Its Logical TiersJ2EE Security DefinitionsJ2EE Security InfrastructureJ2EE Container-Based SecurityJ2EE Component/Tier-Level SecurityJ2EE Client SecurityEJB Tier or Business Component SecurityEIS Integration Tier-OverviewJ2EE Architecture--Network TopologyJ2EE Web Services Security-OverviewSummaryReferencesIII. WEB SERVICES SECURITY AND IDENTITY MANAGEMENT.6. Web Services Security--Standards and Technologies.Web Services Architecture and Its Building BlocksWeb Services Security--Core IssuesWeb Services Security RequirementsWeb Services Security StandardsXML SignatureXML EncryptionXML Key Management System (XKMS)OASIS Web Services Security (WS-Security)WS-I Basic Security ProfileJava-Based Web Services Security ProvidersXML-Aware Security AppliancesSummaryReferences7. Identity Management Standards and Technologies.Identity Management--Core IssuesUnderstanding Network Identity and Federated IdentityIntroduction to SAMLSAML ArchitectureSAML Usage ScenariosThe Role of SAML in J2EE-Based Applications and Web ServicesIntroduction to Liberty Alliance and Their ObjectivesLiberty Alliance ArchitectureLiberty Usage ScenariosThe Nirvana of Access Control and Policy ManagementIntroduction to XACMLXACML Data Flow and ArchitectureXACML Usage ScenariosSummaryReferencesIV. SECURITY DESIGN METHODOLOGY, PATTERNS, AND REALITY CHECKS.8. The Alchemy of Security Design--Methodology, Patterns, and Reality Checks.The RationaleSecure UPSecurity PatternsSecurity Patterns for J2EE, Web Services, Identity Management, and Service ProvisioningReality ChecksSecurity TestingAdopting a Security FrameworkRefactoring Security DesignService Continuity and RecoveryConclusionReferencesV. DESIGN STRATEGIES AND BEST PRACTICES.9. Securing the Web Tier--Design Strategies and Best Practices.Web-Tier Security PatternsBest Practices and PitfallsReferences10. Securing the Business Tier--Design Strategies and Best Practices.Security Considerations in the Business TierBusiness Tier Security PatternsBest Practices and PitfallsReferences11. Securing Web Services--Design Strategies and Best Practices.Web Services Security Protocols StackWeb Services Security InfrastructureWeb Services Security PatternsBest Practices and PitfallsBest PracticesReferences12. Securing the Identity--Design Strategies and Best Practices.Identity Management Security PatternsBest Practices and PitfallsReferences13. Secure Service Provisioning--Design Strategies and Best Practices.Business ChallengesUser Account Provisioning ArchitectureIntroduction to SPMLService Provisioning Security PatternBest Practices and PitfallsSummaryReferences14. Building End-to-End Security Architecture--A Case Study.OverviewUse Case ScenariosApplication ArchitectureSecurity ArchitectureDesignDevelopmentTestingDeploymentSummaryLessons LearnedPitfallsConclusionReferencesVII. PERSONAL IDENTIFICATION USING SMART CARDS AND BIOMETRICS.15. Secure Personal Identification Strategies Using Smart Cards and Biometrics.Physical and Logical Access ControlEnabling TechnologiesSmart Card-Based Identification and AuthenticationBiometric Identification and AuthenticationMulti-factor Authentication Using Smart Cards and BiometricsBest Practices and PitfallsReferencesIndex.
