Hacking Exposed J2ee & Java: Developing Secure Web Applications with Java Technology

This is a very good book on java security that starts pretty much from the ground up so you have to know much about security to read it. The first part of the book starts out with some of the java security basics (classloading, protection domains, etc.) and then goes through the JAAS, JCE, and JSSE modules. The second part of the book goes through how to use security in stand alone java applications and what pitfalls you need to watch out for. The book also details where security is lacking or not mature and what the alternative are.The third section of the book goes through security in the J2EE environment and where the J2EE containers can help out the developers by doing most of the work for them.Overall this book provides a very good overview of security in all the java environments while not requiring previous security knowledge. I highly recommend it.

The book uses an example Java application which is intially very unsecure, and throughout the book the vulnerabilities of the example are discussed and countermeasures are written. Then the application is webenabled, creating new vulnerabilities which are fixed again, and so on. This way the complex material is covered in an easy accessible yet comprehensive way, without becoming lengthy. This book is a must have for any serious Java web developer interested in application security. Not recommended for beginners, though.

This is one of the best books I've read on J2EE security. The recommendations in this book improved my exisiting production applications and development designs.