Book Review: Core Security Patterns: Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management

Authors: Christopher Steel, Ramesh Nagappan, Ray Lai

Publisher: Prentice Hall / Sun Microsystems Press

ISBN: 0131463071 (Click to buy from Amazon)

When the Gang of Four wrote Design Patterns, they could be reasonably assured that most readers would know the basics of object oriented programming, and so they could spend their time on best practices when using objects. Similarly, when the authors of Core J2EE patterns wrote their book, they were able to assume that readers knew the basics of server side java, such as Requests, Sessions, and EJBs. However, the authors of Core Security Patterns made a different choice. They chose, correctly in my view, to assume no prior security knowledge. Consequently, the authors start with an introduction to basic security principals, including such details as the various types of encryption algorithms (symmetric and asymmetric, and for symmetric, block and stream), giving examples of each. They then give examples of how the various types of encryption algorithms are used, and detail how common protocols such as SSL make use of the algorithms. They show common means of attack, and how various security principles can prevent such attacks.

Once these basics of security are laid out, the authors spend several chapters describe how the various java security packages come together to implement the security described in chapter 2. A quick perusal of the topics of these chapters explains why several chapters are necessary–as it turns out, there is quite a bit of security functionality already built into standard J2Se and J2EE. For example, in J2SE 5, there are tools for key generation and management, for looking up revoked certificates, and of course for encryption and decryption, among other things. JAAS is covered here as well. The authors then cover web services and identity management, and how various XML security standards, such as XML Signature, can be used in both cases, and describe the java tools to work with such standards.

Finally, the authors move to the patterns themselves, and here the book finally becomes more like the standard patterns book, giving examples of the different scenarious under which you would use patterns, and providing the pros and cons of each. Since many readers will have taken advantage of the previous sections to learn about all the security technologies in depth for the first time, the patterns then provide a welcome companion, describing the proper use of the various technologies. There is nothing unique about the pattern presentation here, as compared to the other more well know pattern books–patterns are described and the pros and cons of each are given in depth, and so this part of the book may not get as much use. Still, just for the first part of the book alone, this book is worth reading.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s