Review by Billy Barron Tek-Tools

"Java Security, 2nd Edition" by Scott Oaks (O'Reilly & Associates; ISBN 0-596-00157-6) is the 2nd edition of the best how to do Java Security book on the market.

The book begins with basic Java Application Security. Then it talks about the sandbox including policy files. I'd delighted to see this here as this is the only detailed explanation of the policy I've seen. The third chapter talks about the security built into the Java language. Chapter 4 through 6 cover the security manager, access controller and class loaders.

Chapter 7 is a turning point in the book for me. The first 6 chapter cover material that is not really new to most of us who have been doing Java for years. Chapter 7 is the start of cryptography, which dominates the rest of the book. This is good because for the past year even project I've been involved in has used cryptography. Also, very few people understand it well.

The book covers a well range of cryptography topics including keys, certificates, message digests, digital signatures, encryption, SSL, and HTTPS. Then the book closes with a chapter on authentication and authorization. The focus of the last chapter is on the JAAS API. I wish it had spent more time on the principals of authentication and authorization because most of the programmers I've met do not understand the difference between authentication and authorization.

The typical in this book is a mixture of explanation, examples, and the API. The explanations and examples are good. However, I wish the book had trimmed back the API material some because at times it interrupts the flow of the book.

The book came in at a very good time. Just days after receiving it I had to unexpectedly implement some digital signature code. With the examples in the book, I had my program up and going in no time flat. It saved me hours that I would have otherwise spent with the less informative Sun API documentation.

Though the book says that this book is useful for end users and system administrators as well as developers, I think that this is a book just for developers. However, it happens to be an excellent book for Java developers. I strongly recommmend it to anyone doing Java security programming.