The Definitive Guide to Security in Jakarta EE: Securing Java-based Enterprise Applications with Jakarta Security, Authorization, Authentication and More (Paperback)

Refer to this definitive and authoritative book to understand the Jakarta EE Security Spec, with Jakarta Authentication & Authorization as its underlying official foundation. Jakarta EE Security implementations are discussed, such as Soteria and Open Liberty, along with the build-in modules and Jakarta EE Security third-party modules, such as Payara Yubikey & OIDC, and OmniFaces JWT-Auth.
The book discusses Jakarta EE Security in relation to SE underpinnings and provides a detailed explanation of how client-cert authentication over HTTPS takes place, how certifications work,  and how LDAP-like names are mapped to caller/user names. General (web) security best practices are presented, such as not storing passwords in plaintext, using HTTPS, sanitizing inputs to DB queries, encoding output, and explanations of various (web) attacks and common vulnerabilities are included.
Practical examples of securing applications discuss common needs such as letting users explicitly log in, sign up, verify email safely, explicitly log in to access protected pages, and go direct to the log in page. Common issues are covered such as abandoning an authentication dialog halfway and later accessing protected pages again.


What You Will Learn

- Know what Jakarta/Java EE security includes and how to get started learning and using this technology for today's and tomorrow's enterprise Java applications
- Secure applications: traditional server-side web apps built with JSF (Faces) as well as applications based on client-side frameworks (such as Angular) and JAX-RS
- Work with the daunting number of security APIs in Jakarta EE
- Understand how EE security evolved

Who This Book Is For
Java developers using Jakarta EE and writing applications that need to be secured (every application). Basic knowledge of Servlets and CDI is assumed. Library writers and component providers who wish to provide additional authentication mechanisms for Jakarta EE also will find the book useful.

請參考這本權威性的書籍，了解關於 Jakarta EE Security Spec 的相關知識，其底層官方基礎是 Jakarta Authentication & Authorization。書中討論了 Jakarta EE Security 的實現，例如 Soteria 和 Open Liberty，以及內建模組和 Jakarta EE Security 的第三方模組，例如 Payara Yubikey & OIDC 和 OmniFaces JWT-Auth。

本書討論了 Jakarta EE Security 與 SE 基礎的關聯，並詳細解釋了如何透過 HTTPS 進行客戶端證書驗證、證書的運作方式，以及如何將類似 LDAP 的名稱映射到呼叫者/使用者名稱。書中介紹了一般（網路）安全的最佳實踐，例如不以明文儲存密碼、使用 HTTPS、對資料庫查詢進行輸入清理、編碼輸出，並解釋了各種（網路）攻擊和常見弱點。

書中提供了保護應用程式的實際範例，討論了常見需求，例如讓使用者明確登入、安全地註冊和驗證電子郵件、明確登入以存取受保護的頁面，以及直接前往登入頁面。書中還涵蓋了常見問題，例如在驗證對話框進行一半後放棄，然後再次存取受保護的頁面。





你將學到什麼：

- 了解 Jakarta/Java EE Security 的內容，以及如何開始學習和使用這項技術，應用於當今和未來的企業 Java 應用程式

- 保護應用程式：傳統的伺服器端網頁應用程式（使用 JSF (Faces)）以及基於客戶端框架（例如 Angular）和 JAX-RS 的應用程式

- 使用 Jakarta EE 中眾多的安全 API

- 了解 EE 安全的演進



這本書適合的讀者：

使用 Jakarta EE 並撰寫需要進行安全保護的 Java 開發人員（每個應用程式）。預設假設讀者具備 Servlets 和 CDI 的基本知識。同時，希望為 Jakarta EE 提供額外身份驗證機制的函式庫撰寫者和元件提供者也會發現這本書很有用。

Arjan Tijms was a JSF (JSR 372) and Security API (JSR 375) EG member, and is currently project lead for a number of Jakarta projects, including Jakarta- Security, Authentication, Authorization, and Faces and Expression Language. He is the co-creator of the popular OmniFaces library for JSF that was a 2015 Duke’s Choice Award winner, and is the author of two books: The Definitive Guide to JSF- and Pro CDI 2 in Java EE 8. Arjan holds an MSc degree in computer science from the University of Leiden, The Netherlands. He has been involved with Jakarta EE Security since 2010, has created a set of tests that most well-known vendors use (IBM, Oracle, Red Hat) to improve their offerings, was part of the JSR 375 (EE Security) EG, and has been the main architect of the security API and its initial RI implementation Soteria. Arjan has also written and certified the MicroProfile JWT implementation for Payara. He was mentored by Sun's (later Oracle's) security expert Ron Monzillo. He wrote a large series of blog posts about EE Security that have attracted a lot of views.

Werner Keil is a cloud architect, Eclipse RCP, and a microservice expert for a large bank. He helps Global 500 Enterprises across industries and leading IT vendors. He worked for over 30 years as an IT manager, PM, coach, and SW architect and consultant for the finance, mobile, media, transport, and public sectors. Werner develops enterprise systems using Java, Java/Jakarta EE, Oracle, IBM, Spring or Microsoft technologies, JavaScript, Node, Angular, and dynamic or functional languages. He is a Committer at Apache Foundation, and Eclipse Foundation, a Babel Language Champion, UOMo Project Lead, and active member of the Java Community Process in JSRs such as 321 (Trusted Java), 344 (JSF 2.2), 354 (Money, also Maintenance Lead), 358/364 (JCP.next), 362 (Portlet 3), 363 (Unit-API 1), 365 (CDI 2), 366 (Java EE 8), 375 (Java EE Security), 380 (Bean Validation 2), and 385 (Unit-API 2, also Spec Lead), and was the longest serving Individual Member of the Executive Committee for nine years in a row until 2017. Werner is currently the Community representative in the Jakarta EE Specification Committee. He was among the first five Jakarta EE Ambassadors when it was founded as Java EE Guardians, and is a member of its Leadership Council.

Teo Bais is a Software Development Manager, Scrum Master, and Programmer who contributes to the prosperity of the (software) community in several ways. He is the founder and leader of Utrecht Java User Group, which counts over 2600 members and has hosted over 45 events and amazing speakers (among others, James Gosling, Uncle Bob, and over 20 Java Champions), and is running 3 programs: Devoxx4kids, Speaker Incubator and uJCP. Teo served JSR-385 (JSR of the Year 2019) as an EG Member and was nominated as JCP Participant of the Year in 2019. Teo Bais enjoys sharing his knowledge as a public speaker to help others achieve their goals in career and life.

Arjan Tijms是JSF（JSR 372）和Security API（JSR 375）的EG成員，目前是幾個Jakarta項目的項目負責人，包括Jakarta-Security、Authentication、Authorization和Faces和Expression Language。他是JSF流行的OmniFaces庫的共同創作者，該庫在2015年獲得了杜克選擇獎，並且是兩本書的作者：The Definitive Guide to JSF和Pro CDI 2 in Java EE 8。Arjan擁有荷蘭萊頓大學的計算機科學碩士學位。他自2010年以來一直參與Jakarta EE Security，創建了一套大多數知名供應商（IBM、Oracle、Red Hat）使用的測試，以改進他們的產品，是JSR 375（EE Security）的EG的一部分，並且是安全API及其初始RI實現Soteria的主要架構師。Arjan還為Payara編寫並認證了MicroProfile JWT實現。他的導師是Sun（後來是Oracle）的安全專家Ron Monzillo。他撰寫了一系列關於EE Security的博客文章，吸引了很多觀眾。

Werner Keil是一家大型銀行的雲架構師，Eclipse RCP和微服務專家。他幫助全球500家企業跨行業和領先的IT供應商。他在金融、移動、媒體、運輸和公共部門擔任IT經理、項目經理、教練、軟件架構師和顧問超過30年。Werner使用Java、Java/Jakarta EE、Oracle、IBM、Spring或Microsoft技術、JavaScript、Node、Angular和動態或功能性語言開發企業系統。他是Apache Foundation和Eclipse Foundation的Committer，Babel Language Champion，UOMo項目負責人，並且是Java Community Process的活躍成員，參與了JSR 321（Trusted Java）、344（JSF 2.2）、354（Money，也是Maintenance Lead）、358/364（JCP.next）、362（Portlet 3）、363（Unit-API 1）、365（CDI 2）、366（Java EE 8）、375（Java EE Security）、380（Bean Validation 2）和385（Unit-API 2，也是Spec Lead），並且連續九年擔任執行委員會的最長任期個人成員，直到2017年。Werner目前是Jakarta EE Specification Committee的社區代表。他是Java EE Guardians成立時的前五位Jakarta EE大使之一，也是其領導委員會的成員。

Teo Bais是一位軟件開發經理、Scrum Master和程序員，以多種方式為（軟件）社區的繁榮做出貢獻。他是烏特勒支Java用戶組的創始人和領導者，該組織擁有超過2600名成員，舉辦了超過45場活動和優秀的演講嘉賓（包括James Gosling、Uncle Bob和超過20位Java Champions），並運營3個項目：Devoxx4kids、Speaker Incubator和uJCP。Teo作為EG成員參與了JSR-385（2019年度JSR），並在2019年被提名為JCP年度參與者。Teo Bais喜歡作為公開演講者分享自己的知識，幫助他人在職業和生活中實現目標。