Further Reading

Definitive and comprehensive information about Servlets and JavaServer Pages, including security-related details, can be found in the Servlet and JavaServer Pages specifications, available from http://java.sun.com. These topics have also been thoroughly covered in a number of books. Most notable among these are Java Servlet Programming by Jason Hunter and JavaServer Pages by Hans Bergsten, both published by O'Reilly.

Open source J2EE Web container Apache Tomcat includes a good amount of documentation in form of various HOW-TO guides. Among these, the most relevant ones for security are: Realm HOW-TO, SSL Config HOW-TO and Security Mgr. HOW-TO. You can also tap into the highly active Tomcat open source community to get answers to more specific questions by subscribing and posting to Tomcat users mailing list [email protected].

A good source of information on common Web application vulnerabilities and the modus operandi of attackers is Hacking Exposed: Web Applications, a book by Joel Scambray and Mike Shema. It includes detailed and graphic descriptions of real exploits and numerous tips on how to protect Web applications. Along the same lines is A Guide to Building Secure Web Applications, prepared by the Open Web Application Security Project (OWASP) and accessible online at http://www.owasp.org.