Book review: IBM WebSphere Application Server v7.0 Security
Z Jacek Laskowski - Wiki Projektanta Java EE
IBM WebSphere Application Server v7.0 Security by Omar Siliceo (Packt, February 2011)
Ups and downs with the latter predominating the former
I found the announcement about "IBM WebSphere Application Server v7.0 Security" book in the WebSphere SME's group on LinkedIn and asked Packt for a review copy. They graciously provided one and I dived into its reading.
I'm an IT Specialist for IBM WebSphere product family who works for IBM Poland for over 5 years now. I'm not a security specialist, and I doubt I'll ever be, but am constantly exposed to security issues with IBM WebSphere Application Server, since the version 6.1. The security concepts have always lagged behind. I felt I needed to renew my efforts to get the necessary security skills reinforced. And the book's title seemed to have promised it.
The book has got 280 pages split into 11 chapters that aim at "building strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini projects." (from "Preface", page 1). Well said, it caught my attention even more.
The author, Omar Siliceo, "is currently Senior WebSphere Suite consultant" (from "About the Author") and with his experience (he seemed to have been an IBMer, too), and the book's reviewers who also were IBMers working with IBM WebSphere AS, guaranteed a good understanding of the topic (not necessarily its reading!). The reviewers include Domenico Cantatore who's a senior IT Specialist in IBM Software Group in Dublin, and Jose Mariano Ruiz Martin who is a IT Specialist in IBM Spain. With three experienced IBMers engaged in the book writing project I was quite assured I can finally delve into WAS7's security topics in a organized manner.
But I was disappointed quite often, likely for the title and Preface that rose my expectations very high. The book had ups and downs, and although the time I spent on the book's reading was way too long, I could find many places that ultimately filled the bill. The book requires a lot of patience to read from a cover to cover and I don't think it's a kind of book to read in one sitting. I believe it reads fine when a single chapter is picked for a single go.
It's a book about IBM WebSphere Application Server Network Deployment version 7.0 and according to "Who this book is for" it's for "a system administrator or an IT professional who wants to learn about the security side of the IBM WebSphere Application Server v7.0[...] You do not need any previous experience in WebSphere Application Server". Sorry, but I can't agree on that. The use of "node", "WebSphere cell", "DMgr", "deployment manager", "synchronizing nodes", "node agent" vocabulary in WAS7's book before they're explained was not (and could not have been) accidental and despite the assumption the book's not aimed at people who've got some experience in WAS7, it was proved otherwise many times.
At some point you'll realize that the book assumes you had already created a fully functional WAS environment with Dmgr and a federated server. Don't expect it's explained though - it's not. Could it be that the number of pages constrained it a bit? I don't think so since there are many that should not have existed at all. It turns out that the book missed a clear planning on its structure and how to introduce a reader to it. Take Chapter 5 that paid too much attention to develop a very "primitive" (page 166) MVC-based portal application and explained the gory details of JSP files (even though they're against the rule of not including Java snippets within JSPs). Or take the application as a sample to explain EJB security? If the author meant to get readers bored to death, he scored very high. Oracle's Java EE 5 tutorial would've done a better job for such learnings.
You'll eventually reach page 156 where it reads: "As stated before, the author is not a developer, so there may be better ways to code the JSP file to avoid the caching side effect". He couldn't have been right more.
Another example for wasting pages for unnecessary stuff? Take Chapter 1. I read it twice to finally figured out I should have not. I'm still uncertain what the author tried to get across. It's an architectural overview of WAS7, but it's incomplete (as its features go, esp. about so-called "flexible management topology") and less focused on WAS7. I doubt the book would diminish substantially in value if the chapter were to be removed. Ditch it to save time.
I could not understand why "the second major component [...] is the implementation of a JVM" (page 13). The author has freely used the term "A WebSphere JVM" for "WebSphere Application Server" and although I could agree upon its principles, JVM is not a Java EE application server. Neither is it "a messaging engine" (page 13). Note it's a book about WAS7 and these terms have their well-known meaning for WebSpherians.
There are many "hows" and too less "whys" with their explanations. It's not clear why we set up SSO before enabling administrative security. Why is only a simple user name supplied to log into the system? How come we use LDAP and only wasadm is given, not FQDN?! The book reminded silent about it. Alas, there were more questions left unanswered. Take another example - the LDAP server in this book is Sun Java System Directory Server, but there are no steps how to install and configure it. I'd like to have some introductory pages about it.
It's not that the book had just only downs. There were ups, too. They ultimately made the reading bearable and worth the time.
The security concepts were introduced with factious scenarios or corporate standards and almost every chapter began with a real-life story that I found compelling and helpful to get a point across. The author made sure that the material was presented in a more friendly manner with references to daily activities. The author seemed to have gained a lot of experience in his career, and it sprung from the pages often. Real-life examples introduced to WAS parlance world very well. The writing style was often humorous and so I kept my faith in further reading till the very end.
Typos in the text as well as in the commands were annoying and reminded me to be very careful not to take all this without a pinch of salt. You should not, neither! Jython was used for administration scripts, but the author insisted on specifying -lang jython command line parameter to wsadmin while setting it up in the properties files would be preferred. Wasn't the aim of the book to introduce WAS7 to newcomers? Such tips might help a lot!
Why didn't Chapter 5 provide wsadmin scripts to create users and groups, or at least check their existence? Should it be acceptable in a book like this? I don't think so. Same for figures. They could've been better drawn. They're too small and don't invite for their study. There were a few figures and diagrams, but they're hardly informative. Why did Application name have to change to match the DataSource? (page 71) Not explained. Assumed known?!
The book was often too focused on the theory, not practice. There seem to be a gradual shift towards this kind of explaining WAS7's security.
Wait! Wasn't I supposed to provide the ups? It's not such a tough task, after all.
Excellent Chapter 4 with configuring SSL. There were much explained. A complete procedure of configuring SSL for LDAP communication is described. It's accompanied with many screenshots, so people who are tasked to perform it shouldn't be concerned with its complexities. The book encouraged a habit to create separate virtual hosts and security domains for different webapps. I'm getting used to it and liked the idea greatly. I learnt about the policy of a clean split between executables, configuration, and log files of WAS on different file systems. I liked the scheme so much! I had only a vague understanding of its benefits before. I've never bothered myself with the ports WAS listens to, but having read Chapter 9 I will. Changing it doesn't cost much, as the book showed, but may introduce a clear structure for different WAS environments - prod, uat or test. The book put much focus on silent installations with response files. Finally, the book concluded with a chapter that was packed with useful tips I'm going to use in my WAS7 assignments.
And again, back to the downs.
On page 160, a EJB was accessed via InitialContext.lookup() not @EJB. Oh, how could it have slipped through the review process?! I think it's unfortunate that the pages about application development were added to the book at all. The aim of the book was security not development of a very primitive portal application. I wished Chapter 8 had presented a bit more hands-on samples of using the security concepts with ready-to-use sample applications.
In "JDBC: WebSphere-managed authentication" section I could read about "brief general descriptions of a concept (...) using one or two of the most popular databases used in a WebSphere v7 environment." (page 180) Guess what, beside Oracle and DB2, Sybase was mentioned. Is Sybase "one of the most popular database"? Really? Contrary to the book's main concept of WAS7 security, the section presented how to define a JDBC provider and DataSource for a database with no security. Too bad.
Netegrity SiteMinder was presented, but I was hoping to learn IBM Tivoli Access Manager instead. I missed that.
The book needs more practical tips for WAS7 itself not its entire hosting environment. I missed the bits that delve into intricacies of IBM WebSphere Application Server V7's security layer. I'm thus still on a lookout for a serious book about WAS7 Security.
