|“So in the case of those who are skilled
in attack, their opponents do not know where to defend. In the
case of those skilled in defense, their opponents do not know
where to attack.”
Welcome to the Hacking Exposed: Java and J2EE Application Security
website. The website is designed to provide a brief introduction
to the book, track new information relevant to topics discussed
in the book, and, most important, the downloadable, fully-functional
code examples from the text of the book.
You’ll also find several appendixes on Java technology posted
to this site.
We suggest that you visit this website frequently to view any updated
materials, gain easy access to the code mentioned in the book, and
stay informed about developments in Java and J2EE security.
In its short lifetime, Java has grown from an interesting side
project started at a hardware company to the predominant language
for server-side, middle-tier programming. This success has been
no accident. The Java language has many features that make it the
right choice for a variety of programming tasks, from the server
to the palmtop. It is a platform-independent, type-safe, and compact
language. It has a rich set of development libraries, provided in
the Java Development Kit (JDK) itself and courtesy of open-source
powerhouses like Apache’s Jakarta project. But most important,
the Java language has a level of strong, consistent, and extensible
security that is sorely lacking in other languages and operating
Java security was a key consideration in the development of the
language. The developers knew that Java programs would be exposed
to a broad set of unknown users, presenting distinct security risks.
A number of security features were built into the language from
the start, and these features have been augmented and extended with
each new release. Unfortunately, many application developers and
system architects seem to overlook Java and J2EE security, even
though it’s a technology built into the fabric of the platform.
In many instances, the authors have seen enterprises (and even vendors)
build custom security solutions that almost exactly mirror the capabilities
of the Java platform itself—simply because they didn’t
know that those particular security features already existed in
Understanding the security tools available for Java and using these
tools consistently are the foundation of a good Java security policy.
The goal of this book is to help you select the appropriate security
tools and use them correctly to protect your applications.
“A well-presented analysis of J2EE security concerns
and solutions with practical, real-world examples.”
—John Ranta, Customer Training Instructor, Sun Services,
“Using a nice, clear sample project and illustrating
issues using specific code really helps folks like me understand
what’s going on with the code [I have little Java development
experience, but lots of security and sys admin experience].
By focusing on actual code and discussing the strengths and
weaknesses of design and coding decisions, this book provides
a valuable reference for both the Java development community
and security professionals. What I really like about the book
is that I can point to it as a reference when asked how to
include security concerns in the design and coding of Java
applications. I have read too many publications that discuss
security features from a ‘what is possible’ perspective
rather than ‘how to do it’.”
—Dave Fautheree, CISSP, Systems Security Analyst, Southwest
guide for the practitioner, covering security across the spectrum
of Java, J2EE, and Web services technologies. Well-organized
presentation of common security attacks and how to stop them
cold, all demonstrated by working code in a realistic case
study. Useful for application developers at all levels.”
—Tim Seltzer, Enterprise Java Architect, Sun Microsystems,