I was looking for a book to cover the JAAS API and kerberos with examples. Very little of the book addressed that. The book seems mostly to cover the theory, and in that light it rambles on and is confusing. If you're the type who buys lots of books, this one might serve to connect some dots. If you buy few books, I doubt this one will help.

This book has some of the same code from an earlier book title the "Java Security Handbook". Doesn't give me much comfort in the author's abilities.

1 star because one can't give a rating lower than that. The authors do a good job of repeating trivial stuff over and over again. But when it comes to algorithmic or mathematical treatment of the subject, they seem to be at their wit's end. Consider this : According to authors, 2^56 + 2^56 = 2^112. Basic mathematics knowledge would have been suffiecient to calculate the above i.e 2^56 + 2^56 = 2*2^56 = 2^57.
I think now one can start judging the faith one can have in the authors and the book. The authors make it apparent in the first few chapters itself that one should not expect any sensible treatment of the topic. I would recommend this book to all those who have never experienced frustration in life and are looking for a first-hand experience.

I was looking forward to this book, because it had five stars. I got it and thumbed through it, and immediately started finding tons of errors, particularly in the cryptography sections. And, I'm not talking typos, I'm talking problems that show a serious lack of understanding about crypto on the part of the authors. For example, just in the symmetric crypto section, the discussion on ciphers is very poor and often wrong (and where's the discussion of CTR mode, which is now standard and held in high regard by cryptographers... and what about AES, especially considering this book came out in 2002). But the thing that took the cake for me is the discussion on stream ciphers on page 259. It is so absolutely wrong it's not funny.

This is a very big deal, because this book essentially gives you a loaded weapon pointed right at yourself and invites you to pull the trigger, without telling you to turn the thing around. It would be very easy to build code with insecure crypto based on this book. However, if you aren't already an expert in the area, you probably will not realize that you've got good odds of shooting yourself. I can definitely understand why this book had previously gotten good ratings, despite being very poor.

This book is really out of touch with what developers need in terms of secure programming. For example, it doesn't do a very good job of showing you how to add crypto to your apps in a SECURE manner (it doesn't talk about how to COMBINE a MAC and a block cipher in a secure way, which is awfully hard to do... in fact, the author doesn't really understand what a MAC is.). Instead, it focuses a bunch of energy on how to implement basic services that are already available in any decent crypto provider. Crypto is hard enough that exposing the low-level stuff without adequately putting it in the context of how to apply it securely is rediculously dangerous.

This is the third Java Security book that I have read. The first two left me wondering about why I would apply a technology. This book covers the all standards and api's for implementing security in a Java based environment, but it adds the element of why and when to apply a particular strategy. The Heltons have described many different types of attacks and what you can do to combat them by using the strategies outlined. I found that much more useful than a regurgitation of specs, standards, and api's.

This book also has details, with code, of crytographic algorithms and key exchange algorithms, and describes the strengths and weaknesses of all of them. Really detailed.

This book covers all the bases. It could be used as a reference manual, a text on Java Security, or a handbook for an IT Security Manager. I'm keeping right by my keyboard.