Review by Billy Barron, Delphi Consultants

"Enterprise Security with EJB and CORBA" (Wiley Computer Publishing; ISBN 0-471-40131-5) by Hartman, Flinn, and Beznosov is a book about distributed object security. I have been disappointed that most of the EJB books I've looked at completely avoided the issue of security because some vague statement that EJBs help security. Now there is a whole book on this topic. The foreward of this book might explain why. It talks about how common it is for applications to be developed without security because the time is not available.

The first chapter gives an overview of enterprise security. It does a good job of this makes a lot of good points, but then the end of the chapter is strange. Out of the blue, a UML diagram appears followed by an all too brief description. They call this a "Secure Component Architecture". From the description given, I, who have developed many enterprise security systems, did not feel it was secure on its own. The authors said they will use this architecture threw out the book. Though I haven't gone through the whole book with a fine tooth comb, I will assume that they will add the necessarily component to make this architecture secure later in the book.

The book then talks about securing EJB components. This is followed by a chapter on CORBA. These are followed by a chapter which covers just about every security technology out there from firewalls to cryptography. After this, the book talks about interoperability between EJB and CORBA from a security prespective.

The couple chapters after that cover how to protected resources and make security scalable using some CORBA extensions. This was a little disappointing to me. One thing that stuck me when I saw the title of the book was that they left out RMI. To date, even during my period as a consultant, I never worked anywhere that used CORBA. I've done a ton of RMI on the other hand. I'd really like to hear ideas of protection and scalability that didn't depend upon CORBA. At least I have my own. :-)

The book then moves into security system planning. This is an important step that I often see skipped on real projects. The final chapter ties everything together and has good discussions on many topics including how to store security data.

The overall impression of this book is that it doesn't make me jump up and down in joy, but on the other hand, there is nothing wrong with it if you are using CORBA. To me, I felt the inclusion of CORBA made it less useful to me. If it had been a pure EJB security book, I personally would have been more interested.