Hi,
I have been using and learning Servlets and JSP without giving enough thoughts on J2EE/JEE security.
Now, I wanted to upgrade my knowledge and add security into the web apps that I am building.
I have searched over SO post but cant find enough resource to read on about Security. Can you share me some links or tutorials where I could learn about Web Security focusing in java in general?
I am quite a beginner so I prefer books. Thanks
Achieving good security eventually depends on the nature of data that you are handling in your application, and the kind of protection you wish to afford it. It might also depend on the architecture that you've chosen to build your application - in your case, if you choose to use EJBs to contain the business logic, then you have a few more things to do.
As far as books are concerned, you'll find that the older books on J2EE security continue to hold good on Java EE as well. Not a lot has changed when it comes to designing Java web application, save for a few new APIs, and in-built protection against certain attacks in frameworks like JSF. You can start with the ones listed below:
On an additional note, it also recommended that understand the common types of attacks possible against web applications, like XSS, CSRF, SQL injection etc. and how APIs and frameworks ought to be used for preventing those attacks.
Java EE security is actually more about access control than it is about security. So you might be getting more from these none Java popular titles:
You also might want to consider Spring Security, as it does not need a full blown J2EE server and offers an application server independent security solution: