to author

When i checked the reviews in amazon, Thomas Paul quoted that
This book is a nice, general, "white paper" type overview of security in Java. The authors demonstrate a good, solid understanding of J2EE security. However, they don't provide enough in the way of actual implementation examples. I feel this is a major shortcoming of the book.
What is your comment regarding this?

Thank you for pointing me to that review. Thomas Paul reviewed a draft of the book about one and a half year ago when we were still writing big parts of the book. He was hired by Addison-Wesley. Since his review, the book changed completely. New chapters were added with tons of sample code. He probably never saw those chapters and copied and pasted on amazon.com, word by word, the review he made for Addison-Wesley more than a year ago.
J2EE access control is mainly declarative. So in the first chapters, the ones that talk about the architecture of J2EE security (those initially reviewed by Thomas Paul) we did not put so much code, but we did put lots of XML fragments showing what the deployment descriptor should look like.
Part III and IV of the book is where a lot of sample code is. For example, the chapters that cover the architecture of J2SE security, JAAS, JCA and JCE, and JSSE are FULL of sample code and comparing them to a white paper is simply misleading. I am afraid that Thomas Paul never saw those chapters, otherwise he could not say that the book resembles a white paper.
But let me present fact rather than words: I have just looked throughout the whole book and counted sixthy-eight code examples. I am talking about Java code, not XML or HTML code (we have that too, of course). In some cases, one single program reaches even 5 pages of length. Have you ever seen anything like that in a white paper?
Thanks,
Marco Pistoia

Oh, I forgot. Three more people have reviewed the book on amazon.com. Their opinion was not influenced by reading very early drafts of the book. Their comments were very positive. They defined the book as "A solid resource" (review with 4 stars posted on 3/21/2004) and "The BEST book on Java/J2EE security" (review with 5 stars posted on 4/20/2004). I hope you have a chance to read this book yourself and tell me your own opinion about it.
Thank you again,
Marco Pistoia

Hi Marco,
Thanks for your update . When I want to buy a book i always read the reviews and then only decide to buy or not.That is the reason I asked the que.
I presume that your update will benfict others.
I will surely read your book and will post my opinion. Thanks again.

Hi Mary,
One of the reviewers (ranked as one of amazon's top reviewers) wrote:
"In conclusion, this is the best book I have ever read dealing with the topic of security. This is also the best Java security book and is a very comprehensive guide to anyone working with Java. This book belongs in every developer's bookcase and he/she really needs to understand these concepts. If you are looking for a book that overwhelms you with code, this is not it. Instead this is a great tutorial book that uses Java code where appropriate but relies on great writing and explanation of the security framework and components. I highly recommend this book and I know this is going to be handy reference for me."
Additionally, I wanted to mention that this book is not only for Java developers, but for architects and researchers as well. That's why we even have a chapter that describes the mathematical details of the cryptographic algorithms, including RSA, Diffie-Hellman, and the elliptic curve. Thomas Paul, in his amazon review, criticized the fact that we covered the elliptic curve algorithm, but again, researchers and architects may want to know what are the pros and cons of each algorithm before deciding which one should be used. People who are not interested may just skip that chapter.
Thanks again,
Marco Pistoia