RE: Security of .Net versus Java

From: kvinde (kvinde_at_discussions.microsoft.com)
Date: 11/08/04 

Date: Mon, 8 Nov 2004 09:29:08 -0800

Jave is only the programming language. Therefore I guess your question is:
the fundamental differences concerning security between J2EE and .Net.
As I see it J2EE has one well described security-framework/architecture
wheras .Net has many depending on your enterprise architecture.

In J2EE the web-server and app-server provides a container (your
appplication run within that) which takes care of many security issues. As an
application developer you don't need to do a lot of coding yourself.
E.g. using XDoclet you write a as comment above the method or class
definition (for your EJB) which roles are allowed to access this class or
method and the container automatically check whether the logged on user
belongs to this group/role.
Using BEA's WebLogic J2EE server there exist a UserRealm where the
administrator can define users and groups. You can 'easely' define your own
Realm and plug into the weblogic Server and/or plugin ActiveDirectory.
No matter whether the user is logged on to AD or WL or to your own
AuthenticationServer (know by WebLogic) the container will check access and
deny if the user does not exist and have the correct role in any of the
(plugged-in) realms.

I .Net you have to do a lot of coding yourself. You can use 'MS
Authorization and Profile Application Block' combined with 'AzMan'
(Authorization Manager). Define 'Attributes' and place these above the
methods and/or classes to restrict access (reflection). If you have users
logged on to AD or externally or application Form-based and if your
applications are using both .Net remoting and Web services you have to do a
lot of coding.

"Stephen Goodridge" wrote:

> Hi,
>
> Can anyone explain to me the fundamental differences between java and .Net
> and what the pros and cons of each are or or point me to a recent resource
> which discusses these issues?
> Thanks
> Stephen
>
>
>

Relevant Pages