“So in the case of those who are skilled in attack, their opponents do not know where to defend. In the case of those skilled in defense, their opponents do not know where to attack.”
—Sun Tzu

Welcome to the Hacking Exposed: Java and J2EE Application Security website. The website is designed to provide a brief introduction to the book, track new information relevant to topics discussed in the book, and, most important, the downloadable, fully-functional code examples from the text of the book. You’ll also find several appendixes on Java technology posted to this site.

We suggest that you visit this website frequently to view any updated materials, gain easy access to the code mentioned in the book, and stay informed about developments in Java and J2EE security.


In its short lifetime, Java has grown from an interesting side project started at a hardware company to the predominant language for server-side, middle-tier programming. This success has been no accident. The Java language has many features that make it the right choice for a variety of programming tasks, from the server to the palmtop. It is a platform-independent, type-safe, and compact language. It has a rich set of development libraries, provided in the Java Development Kit (JDK) itself and courtesy of open-source powerhouses like Apache’s Jakarta project. But most important, the Java language has a level of strong, consistent, and extensible security that is sorely lacking in other languages and operating environments.

Java security was a key consideration in the development of the language. The developers knew that Java programs would be exposed to a broad set of unknown users, presenting distinct security risks. A number of security features were built into the language from the start, and these features have been augmented and extended with each new release. Unfortunately, many application developers and system architects seem to overlook Java and J2EE security, even though it’s a technology built into the fabric of the platform. In many instances, the authors have seen enterprises (and even vendors) build custom security solutions that almost exactly mirror the capabilities of the Java platform itself—simply because they didn’t know that those particular security features already existed in Java.

Understanding the security tools available for Java and using these tools consistently are the foundation of a good Java security policy. The goal of this book is to help you select the appropriate security tools and use them correctly to protect your applications.



“A well-presented analysis of J2EE security concerns and solutions with practical, real-world examples.”
—John Ranta, Customer Training Instructor, Sun Services, Sun Microsystems

“Using a nice, clear sample project and illustrating issues using specific code really helps folks like me understand what’s going on with the code [I have little Java development experience, but lots of security and sys admin experience]. By focusing on actual code and discussing the strengths and weaknesses of design and coding decisions, this book provides a valuable reference for both the Java development community and security professionals. What I really like about the book is that I can point to it as a reference when asked how to include security concerns in the design and coding of Java applications. I have read too many publications that discuss security features from a ‘what is possible’ perspective rather than ‘how to do it’.”
—Dave Fautheree, CISSP, Systems Security Analyst, Southwest Airlines

“An essential guide for the practitioner, covering security across the spectrum of Java, J2EE, and Web services technologies. Well-organized presentation of common security attacks and how to stop them cold, all demonstrated by working code in a realistic case study. Useful for application developers at all levels.”
—Tim Seltzer, Enterprise Java Architect, Sun Microsystems, Java Center