Chapter 1. Secure Web Applications
Threats and Attack Vectors
Server, Network, and Browser Vulnerabilities
Secure Design Principles
GET vs. POST
Container Authentication and Authorization
HTML Forms
Privacy Under /WEB-INF
HTTP and HTTPS
Other Cryptographic Practices
SOA and Web Services
The OWASP Top 10
Chapter 2. Authentication and Authorization
HTTP BASIC and DIGEST Authentication Schemes
Declaring Security Constraints
User Accounts
Safeguarding Credentials in Transit
Replay Attacks
Authorization over URL Patterns
Roles
FORM Authentication
Login Form Design
EJB Authorization
Programmatic Security
Programmatic Security in JSF
Chapter 3. Secure Application Design
Single Points of Decision
Cross-Site Scripting
Validation vs. Output Escaping
Forceful Browsing
Cross-Site Request Forgery
Request Tokens
Injection Attacks
Protections in JDBC and JPA
Session Management
Taking Care of Cookies
Validating User Input
Validation Practices
Regular Expressions
JSF Validation
Chapter 4. HTTPS and Certificates
Digital Cryptography
Encryption
SSL and Secure Key Exchange
Hashing
Signature
Keystores
Keytool
Why Keys are not enough
X.509 Certificates
Certificate Authorities
Obtaining a Signed Certificate
Configuring HTTPS
Client-Side Certificates and Two-Way SSL
PKCS #12 and Trust Stores
CLIENT-CERT Authentication
Chapter 5. Application-Level Cryptography
The Java Cryptography Architecture
Secure Random Number Generation
The KeyStore API
The Signature Class
The SignedObject Class
The MessageDigest Class
The Java Cryptography Extensions
The SecretKey and KeyGenerator Types
The Cipher Class
Choosing Algorithms and Key Sizes
Dangerous Practices
Chapter 6. Secure Development Practices
Secure Development Cycle
Error Handling and Information Leakage
Failing to a Secure Mode
Logging Practices
Appropriate Content for Logs
Auditing
Strategies: Filters, Interceptors, and Command Chains
Penetration Testing
Back Doors
Appendix A. Learning Resources