One Minute Bottom Line
|If you're in any doubt about the importance and scope of software security in a web application, then just leafing through the 10-page table of contents of this book will give you the necessary willies. On the other hand, if you're an expert on building secure web applications in Java using Spring, then this book is so densely packed with useful, relevant, correct examples you'll find it an excellent source of reference for the things you already know you need to take care of.
This is an excellent book, well written, up-to-date, complete, with relevant examples and code. The subject is web application security and the implementation method is Spring Security 3. If you're not using a security platform in your web application you might be wondering whether this book is still for you. It is for two reasons: first, it takes you through all the important aspects web application security including some you won't have thought of. Second, you're quite likely to be convinced quickly that Spring Security 3 is the right platform to do it right.
So experts are covered, but for the rest of us, the big fat middle of us, we're a bit caught between this book's all-too-short and deceptively gentle introduction of the subject matter and the sheer scope and detail of what's described as required for even some of the simplest-sounding aspects of security. So just commit to taking a pass or two on whole chapters before you start editing Spring beans.
But as noted above, both the subject area and the book itself are really dense. I think this could be a problem if a reader thought they could just grab a couple of code snippets and call their software secure. That's a recipe for disaster, which is possibly why you're reading this and looking into this book in the first place.
Chapter 4 illustrates a good example of where things get harder than you thought. You not only have to store user names and passwords to secure your application, but then you have to squirrel away these credentials somewhere or somehow securely. And this includes making sure at least the passwords are never sent or stored in clear text. And what about bootstrapping the system for your "admin" user? In any case, you're now turning on SSL selectively across your site, adding a key store for the SSL certificate, mapping secure ports, "salting" passwords. That's 36 pages of diagrams, code snippets, HTML, configuration, command-line tools and arguments. By now I hope you're well past thinking this is going to be a simple cut-and-paste exercise. However, if you stuck with it, this book just showed you the way through all of this.
It's a bit difficult to see the wood for the trees in this book consistently. That's not only a product once again of going into so much detail, but also due in part to the way material is presented. Large sections of the book seem to drift around rather aimlessly at times covering this broad and deep subject. I would have preferred to see better structure in the book. It's hard to write something that works for both breadth-first and depth-first readers, or a tutorial that also works as reference material. Hard, but not impossible. This book could take lessons from some who have succeeded better at that. Another slight criticism is the inconsistent formatting of code and diagrams. Many different tools were used to create illustrations and this reviewer found it quite distracting. It's no big deal to format code--and format it consistently. So why not do it?
Spring Security 3's attention to real-world integration with existing security infrastructure is outstanding. LDAP, OpenID, SSO with CAS, Kerberos are all covered at the level of detail you will have come to expect from this book. With that emphasis on integration, this already excellent book really shines.
In summary, Spring Security 3 deserves a place in your library regardless of your level of involvement in developing web applications.