… and the author of the review, Don R. Hanson II, it’s a legitimate beef:
I feel kind of lonely here; everyone else seemed to love this book. Looking at the table of contents, I was very excited when I started reading the book. However, while reading it cover to cover I slowly became more and more dis-illusioned with it.
The book is divided up into a number of recommendations, called items, in a manor similar to Effective C++ and Practical Java. The problem is that most of the items appear to fall into one of a few general catagories:
Intro level generalities of good design for the web. e.g.
pass data in bulk – multiple asynchronous calls out of process are more expensive than one big call
make deployment as simple as possible – exactly what it says!
use HttpSession sparingly – this is web application design 101
always validate user input – my personal favorite; who today is not validating user input received from the web?
Using a pair of items to represent a classic design best practice. e.g.
Lazy-load infrequently used data & Eager-load frequently used data
Consider using optimistic concurrency for better scalability
Consider using pessimistic concurrency for explicit concurrency control
Re-statements of some of the principals of secure coding e.g.
Security is a process, not a product
Remember that security is not just prevention, aka "fail securely"
Assume insecurity, aka "grant minimal trust necessary"
Establish a threat model
My copy of this book has long been in the trash. Save your money. Here are a couple of free online articles to get you started:
Secure coding: http://www.securityfocus.com/infocus/1596
Article on stopping SQL injection: http://www.securityfocus.com/infocus/1768
Well, I can’t really deny his implied criticism that the book is too basic for his taste: much like its predecessors, the book is designed to cater to people who’ve not seen many of these ideas before, ideas which long-time architects and developers are probably already familiar with. As a matter of fact, I even make reference in the prologue to the idea that many of these items will likely elicit a "no duh!" reaction from seasoned veterans. But, in fact, the same was true of Effective C++ and Effective Java (the latter, in fact, elicited some of the same response from me when I first read it, then realized over time that this was because I had already stumbled across a lot of the items in person, and so wasn’t illuminated by it as much as I had been by Effective C++).
In response to some of your comments, such as "who today is not validating user input received from the web?", all I can say is that the OWASP Top Ten security vulnerabilities list pretty much answers that question, in that XSS attacks, command injection attacks, buffer overrun attacks and others all stem from improperly validated input from the user, so apparently the basic answer is, a lot of people.
But to address the basic issue, I formally call to anyone who thinks EEJ is too basic to email me the kind of items they’d like to see for a "More Effective Enterprise Java", in case A-W and I decide to produce said follow-up volume.