Atnaujinkite slapukų nuostatas

Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management [Minkštas viršelis]

4.00/5 (2 ratings by Goodreads)
, ,
  • Formatas: Paperback / softback, 1088 pages, aukštis x plotis x storis: 100x100x100 mm, weight: 100 g
  • Išleidimo metai: 09-Jan-2013
  • Leidėjas: Prentice Hall
  • ISBN-10: 0133119769
  • ISBN-13: 9780133119763
Kitos knygos pagal šią temą:
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity ManagementDidesnis paveikslėlis
  • Formatas: Paperback / softback, 1088 pages, aukštis x plotis x storis: 100x100x100 mm, weight: 100 g
  • Išleidimo metai: 09-Jan-2013
  • Leidėjas: Prentice Hall
  • ISBN-10: 0133119769
  • ISBN-13: 9780133119763
Kitos knygos pagal šią temą:
Pastovi nuoroda: https://www.kriso.lt/db/9780133119763.html
Raktažodžiai:

Praise for Core Security Patterns

Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.

--Whitfield Diffie, inventor of Public-Key Cryptography

A comprehensive book on Security Patterns, which are critical for secure programming.

--Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security

As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts.

--Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.

This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry.

--Judy Lin, Executive Vice President, VeriSign, Inc.

Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side.

--Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference

As a trusted advisor, this book will serve as a Java developer s security handbook, providing applied patterns and design strategies for securing Java applications.

--Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase

Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.

--John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns

Core Security Patterns is the hands-on practitioner s guide to building robust end-to-end security into J2EE™ enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects today s best practices for security in large-scale, industrial-strength applications.

The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME™ applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics.

Core Security Patterns covers all of the following, and more:

  • What works and what doesn t: J2EE application-security best practices, and common pitfalls to avoid
  • Implementing key Java platform security features in real-world applications
  • Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile
  • Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML
  • Designing secure personal identification solutions using Smart Cards and Biometrics
  • Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists
  • End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications


Foreword xxv
Judy Lin
Foreword xxix
Joe Uniejewski
Preface xxxi
Acknowledgments xli
About the Authors xlv
PART I Introduction
1(92)
Chapter 1 Security by Default
2(46)
Business Challenges Around Security
5(2)
What Are the Weakest Links?
7(1)
The Network Services
7(1)
The Host Operating System (OS)
8(1)
The Application or Service
8(1)
The Impact of Application Security
8(9)
Critical Application Security Flaws and Exploits
10(7)
The Four W's
17(2)
Which Applications Are We Protecting?
17(1)
Who Are We Protecting the Applications From?
18(1)
Where Should We Protect Them?
18(1)
Why Are We Protecting Them?
18(1)
Strategies for Building Robust Security
19(2)
Unified Process for Security Design
19(1)
Design Patterns
19(1)
Best Practices
20(1)
Reality Checks
20(1)
Proactive Assessment
20(1)
Profiling
20(1)
Defensive Strategies
20(1)
Recovery and Continuity Strategies
21(1)
Proactive and Reactive Security
21(1)
The Importance of Security Compliance
21(6)
Sarbanes-Oxley Act
22(1)
Gramm-Leach-Bliley Act
23(1)
HIPPA
24(1)
The Children's Online Privacy Protection Act
25(1)
EU Directive on Data Protection
25(1)
California's Notice of Security Breach (1798.29)
26(1)
Security Compliance in Other Countries
26(1)
The Importance of Identity Management
27(2)
Identity Provisioning Services
27(1)
Identity Data Synchronization Services
27(1)
Access Management Services
28(1)
Federation Services
28(1)
Directory Services
28(1)
Auditing and Reporting Services
28(1)
Secure Personal Identification
29(7)
Personal Identification and Authentication
29(1)
Smart Card Identity
30(2)
Biometric Identity
32(3)
RFID-Based Identity
35(1)
The Importance of Java Technology
36(1)
Security in the Java Platform
37(1)
Making Security a "Business Enabler"
37(5)
Case 1 Justifying Identity and Access Management
38(1)
Case 2 Justifying Proactive Security Approaches
39(3)
Case 3 Justifying Security Compliance
42(1)
Summary
42(1)
References
43(5)
Chapter 2 Basics of Security
48(45)
Security Requirements and Goals
50(3)
Confidentiality
50(1)
Integrity
51(1)
Authentication
51(1)
Authorization
52(1)
Non-Repudiation
53(1)
The Role of Cryptography in Security
53(16)
Cryptographic Algorithms
54(15)
The Role of Secure Sockets Layer (SSL)
69(4)
The Importance and Role of LDAP in Security
73(4)
The Role of LDAP in J2EE
76(1)
Common Challenges in Cryptography
77(4)
Random Number Generation
77(1)
Key Management
77(1)
Certificate Revocation Issues
78(1)
Trust Models
79(2)
Threat Modeling
81(2)
Identity Management
83(6)
Single Sign-on (SSO)
84(2)
Federated SSO
86(3)
Summary
89(1)
References
89(4)
PART II Java Security Architecture and Technologies
93(188)
Chapter 3 The Java 2 Platform Security
94(54)
Java Security Architecture
96(13)
The Java Virtual Machine (JVM)
96(1)
The Java Language
97(2)
Java Built-in Security Model
99(10)
Java Applet Security
109(7)
Signed Applets
112(4)
Java Web Start Security
116(2)
Java Security Management Tools
118(8)
Java Keystore
118(1)
Keytool
118(7)
Policytool
125(1)
Jarsigner
125(1)
J2ME Security Architecture
126(10)
J2ME Configurations
127(3)
J2ME Profiles
130(2)
MIDlet Security
132(4)
Java Card Security Architecture
136(7)
Understanding Smart Cards
136(2)
Java Card Technology in Smart Cards
138(1)
Java Card Platform Security Model
139(1)
Java Card Applets
140(3)
Securing the Java Code
143(2)
Reverse Engineering: Disassembling and Decompiling
143(1)
Code Obfuscation
144(1)
Summary
145(1)
References
146(2)
Chapter 4 Java Extensible Security Architecture and APIs
148(76)
Java Extensible Security Architecture
150(1)
Java Cryptography Architecture (JCA)
151(8)
JCA Cryptographic Services
152(3)
Understanding JCA API Programming Model
155(4)
Java Cryptographic Extensions (JCE)
159(20)
JCE Cryptographic Service Provider
160(3)
Understanding the JCE API Programming Model
163(12)
JCE Hardware Acceleration and Smart Card Support
175(1)
Using Smart Cards as Java Key Stores
176(2)
Strong versus Unlimited Strength Cryptography
178(1)
Java Certification Path API (CertPath)
179(3)
Java CertPath-Classes and Interfaces
179(1)
Java CertPath API Programming Model
180(2)
Java Secure Socket Extension (JSSE)
182(15)
JSSE Provider (SunJSSE)
183(1)
JSSE Classes and Interfaces
184(2)
Understanding the JSSE API Programming Model
186(11)
Java Authentication and Authorization Service (JAAS)
197(18)
JAAS Classes and Interfaces
198(2)
Understanding the JAAS API Programming Model
200(15)
Java Generic Secure Services API (JGSS)
215(1)
Comparing JGSS with JSSE and JAAS
215(1)
Simple Authentication and Security Layer (SASL)
216(4)
Java SASL
216(4)
Summary
220(1)
References
221(3)
Chapter 5 J2EE Security Architecture
224(57)
J2EE Architecture and Its Logical Tiers
226(2)
J2EE Security Definitions
228(1)
J2EE Security Infrastructure
229(1)
J2EE Container-Based Security
230(8)
Declarative Security
231(1)
Programmatic Security
232(1)
J2EE Authentication
232(2)
Protection Domains
234(1)
J2EE Authorization
235(1)
Java Authorization Contract for Client Containers (JACC)
236(1)
Transport Layer Security
237(1)
J2EE Component/Tier-Level Security
238(17)
Users, Groups, Roles, and Realms
238(1)
Web- or Presentation-Tier Security
239(16)
J2EE Client Security
255(4)
HTTPS Connection
255(3)
Secure J2ME Clients
258(1)
EJB Tier or Business Component Security
259(7)
EJB Declarative Authorization
259(2)
EJB Programmatic Authorization
261(1)
Anonymous or Unprotected EJB Resources
262(1)
Principal Delegation in EJBs
263(3)
EIS Integration Tier-Overview
266(7)
Securing J2EE Connector and EIS
267(4)
Securing JMS
271(1)
Securing JDBC
272(1)
J2EE Architecture-Network Topology
273(4)
Designing for Security with Horizontal Scalability
274(2)
Designing for Security with Vertical Scalability
276(1)
J2EE Web Services Security-Overview
277(2)
Summary
279(1)
References
280(1)
PART III Web Services Security and Identity Management
281(156)
Chapter 6 Web Services Security-Standards and Technologies
282(74)
Web Services Architecture and Its Building Blocks
284(6)
Web Services Operational Model
285(1)
Core Web Services Standards
286(3)
Web Services Communication Styles
289(1)
Web Services Security-Core Issues
290(3)
Web Services-Threats, Vulnerabilities, and Risks
290(3)
Web Services Security Requirements
293(4)
Authentication
294(1)
Authorization and Entitlement
294(1)
Auditability and Traceability
294(1)
Data Integrity
295(1)
Data Confidentiality
295(1)
Non-repudiation
295(1)
Availability and Service Continuity
295(1)
Single Sign-on and Delegation
296(1)
Identity and Policy Management
296(1)
Security Interoperability
296(1)
Web Services Security Standards
297(1)
XML Signature
297(14)
Motivation of XML Signature
298(1)
The Anatomy of XML Signature
298(5)
Algorithms
303(2)
XML Signature Examples
305(5)
Creating an XML Signature
310(1)
Verifying and Validating an XML Signature
311(1)
XML Encryption
311(14)
Motivation of XML Encryption
312(1)
The Anatomy of XML Encryption
312(4)
XML Encryption Algorithms
316(4)
XML Encryption: Example Scenarios
320(5)
XML Key Management System (XKMS)
325(11)
Motivation of XKMS
325(1)
XKMS Specification Overview
326(1)
XML Key Information Services (X-KISS)
326(4)
XML Key Registration Service (X-KRSS)
330(4)
X-BULK
334(2)
OASIS Web Services Security (WS-Security)
336(12)
Motivation of WS-Security
337(1)
WS-Security Definitions
337(1)
Using Digital Signatures in WS-Security
338(1)
Using Encryption in WS-Security
338(1)
Using Security Tokens in WS-Security
339(1)
WS-Security: The Anatomy of SOAP Message Security
339(9)
WS-I Basic Security Profile
348(1)
Java-Based Web Services Security Providers
349(3)
Sun JWSDP
349(2)
Sun Java System Access Manager
351(1)
VeriSign TSIK and XKMS Services
351(1)
RSA BSAFE Secure-WS
351(1)
XML-Aware Security Appliances
352(1)
XML Firewall
352(1)
Summary
353(1)
References
354(2)
Chapter 7 Identity Management Standards and Technologies
356(81)
Identity Management-Core Issues
358(2)
Understanding Network Identity and Federated Identity
360(2)
The Importance of Identity Management
362(1)
Introduction to SAML
362(6)
The Motivation of SAML
362(1)
The Role of SAML in SSO
363(1)
SAML 1.0
364(1)
SAML 1.1
364(1)
SAML 2.0
364(3)
SAML Profiles
367(1)
SAML Architecture
368(15)
SAML Assertions
369(1)
SAML Domain Model
370(1)
SAML Architecture
371(2)
Policy Enforcement Point
373(1)
Policy Administration Point
373(1)
SAML Request-Reply Model
373(3)
SAML Authentication Assertion
376(2)
SAML Attribute Assertion
378(2)
SAML Authorization Decision Assertion
380(2)
XML Signatures in SAML
382(1)
SAML Usage Scenarios
383(3)
Security Threats and Countermeasures
384(2)
The Role of SAML in J2EE-Based Applications and Web Services
386(1)
Introduction to Liberty Alliance and Their Objectives
387(4)
Liberty Phase 1
389(1)
Liberty Phase 2
390(1)
Liberty Alliance Architecture
391(3)
Relationships
392(1)
Web Redirection
393(1)
Web Services
393(1)
Meta-Data and Schemas
393(1)
Security Mechanisms
394(1)
Liberty Usage Scenarios
394(9)
Federation Management
396(2)
Liberty Single Sign-on
398(2)
Federated Single Sign-on
400(1)
Global Logout
400(1)
Example-SAML and Liberty Using Sun Java System Access Manager
401(2)
The Nirvana of Access Control and Policy Management
403(8)
IETF Policy Management Working Group
404(1)
Distributed Management Task Force (DMTF)
404(1)
Parlay Group
405(1)
Enterprise Privacy Authorization Language (EPAL)
405(3)
Web Services Policy-WS-Policy and WSPL
408(3)
Introduction to XACML
411(7)
XACML2.0
416(2)
XACML Data Flow and Architecture
418(3)
XACML Architecture
420(1)
XACML Usage Scenarios
421(11)
Policy Store
421(1)
Centralizing Security Policy for Web Services Security
421(1)
Collaborating with SAML
422(1)
ebXML Registry
422(1)
Example-XACML Using Sun's XACML Kit
422(1)
Sample Scenario
423(1)
Sample Request
423(2)
Sample Policy
425(5)
Use of XACML 2.0 with SAML 2.0
430(2)
Summary
432(1)
References
433(4)
PART IV Security Design Methodology, Patterns, and Reality Checks
437(96)
Chapter 8 The Alchemy of Security Design-Methodology, Patterns, and Reality Checks
438(95)
The Rationale
440(4)
The Security Wheel
441(3)
Secure UP
444(12)
Secure UP-Artifacts
449(3)
Risk Analysis (RA)
452(3)
Trade-off Analysis (TOA)
455(1)
Security Patterns
456(10)
Understanding Existing Security Patterns
456(10)
Security Patterns for J2EE, Web Services, Identity Management, and Service Provisioning
466(1)
Security Pattern Template
466(35)
Security Patterns Catalog
467(11)
Security Patterns and their Relationships
478(10)
Patterns-Driven Security Design
488(2)
Security Design Processes
490(6)
Policy Design
496(1)
Classification
497(2)
Application Security Assessment Model
499(2)
Reality Checks
501(22)
Security Testing
523(2)
Black Box Testing
524(1)
White Box Testing
524(1)
Adopting a Security Framework
525(4)
Application Security Provider
527(2)
Refactoring Security Design
529(1)
Service Continuity and Recovery
530(1)
Conclusion
530(1)
References
531(2)
Unified Process
531(1)
Security Principles
531(1)
Security Patterns
531(1)
Others
532(1)
PART V Design Strategies and Best Practices
533(366)
Chapter 9 Securing the Web Tier-Design Strategies and Best Practices
534(88)
Web-Tier Security Patterns
535(80)
Authentication Enforcer
535(13)
Authorization Enforcer
548(12)
Intercepting Validator
560(9)
Secure Base Action
569(8)
Secure Logger
577(13)
Secure Pipe
590(8)
Secure Service Proxy
598(8)
Intercepting Web Agent
606(9)
Best Practices and Pitfalls
615(5)
Infrastructure
615(2)
Communication
617(1)
Application
618(2)
References
620(2)
Chapter 10 Securing the Business Tier-Design Strategies and Best Practices
622(76)
Security Considerations in the Business Tier
623(1)
Business Tier Security Patterns
624(69)
Audit Interceptor
624(11)
Container Managed Security
635(10)
Dynamic Service Management
645(14)
Obfuscated Transfer Object
659(9)
Policy Delegate
668(9)
Secure Service Fasade
677(9)
Secure Session Object
686(7)
Best Practices and Pitfalls
693(4)
Infrastructure
693(1)
Architecture
694(1)
Policy
695(1)
Pitfalls
696(1)
References
697(1)
Chapter 11 Securing Web Services-Design Strategies and Best Practices
698(56)
Web Services Security Protocols Stack
700(2)
Network-Layer Security
701(1)
Transport-Layer Security
701(1)
Message-Layer Security
702(1)
Web Services Security Infrastructure
702(3)
Network Perimeter Security
702(2)
XML Firewall
704(1)
Web Services Infrastructure
704(1)
Identity Provider
704(1)
Directory Services
704(1)
Web Services Security Patterns
705(39)
Message Interceptor Gateway
705(10)
Message Inspector
715(17)
Secure Message Router
732(12)
Best Practices and Pitfalls
744(8)
Best Practices
745(6)
Pitfalls
751(1)
References
752(2)
Chapter 12 Securing the Identity-Design Strategies and Best Practices
754(62)
Identity Management Security Patterns
756(57)
Assertion Builder Pattern
756(20)
Single Sign-on (SSO) Delegator Pattern
776(26)
Credential Tokenizer Pattern
802(11)
Best Practices and Pitfalls
813(1)
Best Practices
813(1)
Pitfalls
814(1)
References
814(2)
Chapter 13 Secure Service Provisioning-Design Strategies and Best Practices
816(83)
Business Challenges
818(5)
Scope of Service Provisioning
818(1)
Relationship with Identity Management
819(1)
A Typical Scenario of User Account Provisioning
820(2)
Current Approaches to User Account Provisioning
822(1)
User Account Provisioning Architecture
823(10)
Centralized Model versus Decentralized Model
823(3)
Logical Architecture
826(3)
Portal Integration
829(1)
Integrating with an Identity Provider Infrastructure
830(2)
Other Integration Capability
832(1)
Differentiators for Service Provisioning Products
832(1)
Introduction to SPML
833(7)
Service Provisioning Operations
834(1)
Features in SPML
835(2)
Adopting a SPML Implementation
837(3)
Service Provisioning Security Pattern
840(51)
Password Synchronizer Pattern
840(50)
Related Patterns
890(1)
Best Practices and Pitfalls
891(3)
Application Design
891(1)
Quality of Service
891(2)
Server Sizing Consideration
893(1)
Security Risk Mitigation
894(1)
Summary
894(1)
References
895(4)
General
895(1)
Some Security Service Provisioning Vendors
896(1)
Some Password Management or Password Synchronization Vendor Products
897(2)
PART VI Putting It All Together
899(60)
Chapter 14 Building End-to-End Security Architecture-A Case Study
900(59)
Overview
902(3)
Understanding the Security Challenges
902(2)
Assumptions
904(1)
Use Case Scenarios
905(8)
Choosing the Right Methodology
905(1)
Identifying the Requirements
906(1)
Identifying the Security Requirements
907(2)
System Constraints
909(1)
Security Use Cases
909(4)
System Environment
913(1)
Application Architecture
913(4)
Conceptual Security Model
915(2)
Security Architecture
917(13)
Risk Analysis and Mitigation
920(3)
Trade-Off Analysis (TOA)
923(1)
Applying Security Patterns
924(3)
Security Architecture-Detailed Components
927(3)
Design
930(21)
Policy Design
930(1)
Factor Analysis
931(3)
Security Infrastructure
934(1)
Tier Analysis
935(2)
Trust Model
937(1)
Threat Profiling
938(1)
Security Design
939(12)
Development
951(1)
Unit and Integration Testing
951(1)
Testing
952(1)
White Box Testing
952(1)
Black Box Testing
952(1)
Deployment
953(2)
Configuration
954(1)
Monitoring
954(1)
Auditing
955(1)
Summary
955(1)
Lessons Learned
955(1)
Pitfalls
956(1)
Conclusion
956(1)
References
957(2)
PART VII Personal Identification Using Smart Cards and Biometrics
959(40)
Chapter 15 Secure Personal Identification Strategies Using Smart Cards and Biometrics
960(39)
Physical and Logical Access Control
962(2)
The Role of Smart Cards in Access Control
963(1)
The Role of Biometrics in Access Control
964(1)
Enabling Technologies
964(6)
Java Card API
964(1)
Global Platform
965(1)
PC/SC Framework
966(1)
OpenCard Framework (OCF)
966(1)
OpenSC
967(1)
BioAPI
967(1)
Pluggable Authentication Module (PAM)
968(1)
Graphical Identification and Authentication (GINA)
969(1)
Java Authentication and Authorization Service (JAAS)
970(1)
Smart Card-Based Identification and Authentication
970(9)
Architecture and Implementation Model
971(4)
Operational Model
975(4)
Using Smart Cards for Physical Access Control
979(1)
Biometric Identification and Authentication
979(14)
Understanding the Biometric Verification Process
980(1)
Accuracy of a Biometric Verification Process
981(2)
Architecture and Implementation
983(4)
Operational Model
987(4)
Biometric SSO Strategy
991(2)
Multi-factor Authentication Using Smart Cards and Biometrics
993(2)
Match-on-the-Card Biometrics Strategy
994(1)
Match-off-the-Card Biometrics Strategy
994(1)
Best Practices and Pitfalls
995(3)
Using Smart Cards
995(1)
Using Biometrics
996(1)
Pitfalls
997(1)
References
998(1)
Index 999
Christopher Steele, CISSP, ISSAP, is the President and CEO of FortMoon Consulting and was recently the Chief Architect on the US Treasury's Pay.gov project.  He has over fifteen year's experience in distributed enterprise computing with a strong focus on application security, patterns and methodologies.  He presents regularly at local and industry conferences on security-related topics. With extensive industry experience, he specializes in Java distributed computing and security architecture for mission-critical applications.  Previously he coauthored three best-selling books for J2EE, EAI and Web Services.  He is an active contributor to open source applications and industry-standard initiatives, and frequently speaks at industry conferences related to Java, XML, and Security.  Ray Lai, Principal Engineer at Sun Microsystems, has developed and architected enterprise applications and Web services solutions for leading multinationals companies ranging from HSBC and Visa to American Express and DHL. he is author of J2EE Platform Web Services (Prentice Hall, 2004).