Download PDF version of this article PDF

Spring in Action

Craig Walls and Ryan Breidenbach, Manning Publications, 2005, $44.95, ISBN: 1932394354

Spring is an open source Java framework for achieving many of the same things that are usually achieved with Java EE (Java Platform, Enterprise Edition). Spring is a lightweight framework that can be used when the full Java EE framework is not necessary, but the benefits of Java EE are desired.

Spring in Action consists of three main sections. Part 1 introduces the basic principles of Spring: inversion of control and AOP (aspect-oriented programming). This section advocates decoupling software dependencies and explains the Spring way of dependency injection—that is, how to build a software system from independent components that are configured and wired together at runtime. In every example, the authors stress how to build software according to business needs and leave the technical aspects to the framework, ideally building in such a way that the framework can be exchanged. They explain benefits that only Spring provides and outline when using these features is acceptable.

Another feature of Spring is its use of AOP, which makes it possible to build systems in a framework-agnostic way. Spring’s AOP support is lightweight and concentrates on the essential features of AOP. Of course, some features that a complete AOP framework provides are lost (for example, support only for method joinpoints).

The second part of the book shows how Spring can be used to abstract the database layer in such a way that it is no longer important to know which database access framework is used behind the scenes. Spring can be used with native JDBC (Java Database Connectivity), JDO (Java Data Objects), Hibernate, and several other database frameworks. Again, the Spring techniques of dependency injection are used to inject the database framework and transaction policy of choice. The same techniques are used for accessing remote objects or enterprise services.

The last section discusses the user access layer, in this case the Web. Again, the Web framework can largely be injected into the application, making the business components, and partly the user interface components, independent of the visual framework and even the authentication mechanisms desired.

This is one of those rare books that connect a tutorial for using a certain software product with a plethora of ideas on good software design and design patterns. After reading Spring in Action, I would like to work with Spring to find out whether the principles work as well in practice as I understand them in theory. —Markus Wolf

 

Phishing Exposed

Lance James and Joe Stewart, Syngress Publishing, 2005, $49.95, ISBN: 159749030X  

Successful phishing attacks are based on a mixture of inherent and structural Internet protocol weaknesses and a collection of Web programming hacks. Some recent phishing schemes were well done and show that progress is being made in the underground hacking and criminal communities.

This is a remarkable book on phishing, both for its technical content and high-quality presentation. It begins with an introduction to phishing. Then starting with the second chapter, it gets highly technical: It describes how to set up a phishing server and how to generate spoofed e-mail messages that look legitimate but will in fact induce the victim to disclose important credentials.

Successful phishers commonly exploit security holes in Web applications. The core of this book provides a comprehensive overview of how malicious attackers use cross-site scripting, browser exploits, HTTP manipulation, and DHTML. The author provides many real-world examples, some of which are very surprising, since they concern well-known sites where such vulnerabilities might have impacted a large user population.

Chapter 6, which addresses VoIP phishing, is a must-read. This is the first time that any book has addressed this issue in a technical manner. Because the VoIP business has recently taken off, this issue is sure to be of particular interest in the near future.

I recommend this book to all readers interested in the technical details of phishing attacks. Web developers and Webmasters will get valuable information on how to secure their applications and Web sites, and readers with average technical knowledge will learn the essential background information required to discover a phishing attack and unveil such a scam. —Radu State

acmqueue

Originally published in Queue vol. 4, no. 9
Comment on this article in the ACM Digital Library








© ACM, Inc. All Rights Reserved.