GlassFish Security by Masoud Kalali provides an in-depth look at Java EE security issues. The book is broken down into 3 parts:
1. The Java EE security model
2. Securing GlassFish and its environment
3. Securing Java EE applications using OpenDS and Single-Sign-On (SSO).
2. Securing GlassFish and its environment
3. Securing Java EE applications using OpenDS and Single-Sign-On (SSO).
The first section of the book describes the Java EE security model. This section starts by assuming the reader has none or very little knowledge of Java EE security and describes the structure of a Java EE application and how security relates to it. Basic terms such as User, Role, Realm, Principal and Credential are described together with examples of each. Authentication and authorization are described and shown how these concepts are applied to Java EE applications as both XML configuration and annotations.
When securing an application for use on GlassFish, several different security realms are available for use. The book covers the GlassFish File, JDBC, LDAP and Certificate realms showing how each of these can be configured (using OpenDS in the case of the LDAP realm).
The first section of the book ends with a sample application summing up all that has been described so far. The author shows how to develop and secure a sample Java EE application securing both the presentation and business tiers. The complete code for this application is available online. This is a good chapter that brings together all that the reader has learned so far into a simple, yet complete secure application.
Typically developers learn to secure their applications, but can sometimes forget to secure the application server and its environment. The next section of the book shows how to secure the GlassFish environment and the application server itself. Here, the author shows how to install and secure GlassFish on the OpenSolaris operating system. Although the majority of the details here are specific to OpenSolaris, the book also goes into details of securing the Java Runtime with different policies which will be appropriate to all operating systems. Even if you’re not deploying to OpenSolaris, this section gives a good overview of the problems faced when securing the environment.
After securing the GlassFish environment, the author continues to describe how to secure the application server itself. In a similar fashion to the rest of this section, security is discussed and shown how to be implemented. There is no source code provided here, instead details of how to use the JMX and client tools to secure the server.
The final section of the book introduces OpenDS, the open source Directory Server and OpenSSO, the open source Single-Sign-On solution. To me, this is the most interesting section of the book and covers almost half of the book’s content. If you’re not familiar with OpenDS or OpenSSO, or even directory services or single-sign-on, then this section probably warrants the price of the book by itself. As with the rest of the book, the author provides a description of the security features being discussed (e.g. implementing SSO on web apps or web services) and provides illustrations and source code explaining the subject in detail.
If you are developing secure Java EE applications then this book is highly recommended. The book is written for “application designers, developers, and administrators who work with GlassFish and are keen to understand Java EE and GlassFish security.”
GlassFish Security by Masoud Kalali. ISBN: 978-1-847199-38-6
Thanks to Sean at Packt for providing me with a copy of this book for review.
