Transcript Day1.4.ppt

Java Vs .Net
Presented By,
Naveen Kumar Ratkal
Outline
CLR VS JVM
Java Byte Code and MSIL
Comparing the stacks
Major security vulnerabilities reported
Java Authentication and Authorization service (JAAS)
Class file and Cs file
Security features Comparison
Java or .Net
JVM vs. CLR
JVM designed for platform independence
Single language: Java (?)
A separate JVM for each OS & device
CLR designed for language independence
Multiple languages for development
C++, VB, C#, (J#)
APL, COBOL, Eiffel, Forth, Fortran, Haskel, SML, Mercury,
Mondrian, Oberon, Pascal, Perl, Python, RPG, Scheme, SmallScript,
…
Impressive usage of formal methods and programming language
research during development
Underlying OS: Windows (?)
CLR vs JVM
C#
VB
.Net
Managed
C/C++
Lots of other
Languages
Java
MSIL
Byte Codes
CLR
Security
Runtime Services
JRE (JVM)
Security
Runtime Services
Windows OS
Mac
Both are ‘middle layers’ between an intermediate
language & the underlying OS
Win
Unix
Linux
Java Byte Code and MSIL
Java byte code (or JVML) is the low-level language of the JVM.
MSIL (or CIL or IL) is the low-level language of the .NET Common
Language Runtime (CLR).
Superficially, the two languages look very similar.
MSIL:
JVML:
iload 1
iload 2
iadd
istore 3
ldloc.1
ldloc.2
add
stloc.3
Visual Studio.net
Perl
Servlets
ADO.NET
JDBC
Base Class Library
J2EE Class Library
CLR
Java runtime
Win32
J2EE App Servers
Websphere, Weblogic , Tomcat, etc.
MSMQ, COM+, IIS,
WMI, AD, ADAM,
Indexing, UDDI, etc.
JMS
Apache
Win32, Unix, Linux
Java
C#
JSP
BEA Weblogic
C++
ASP.Net
Webshpere Studio
VB
Struts
Eclipse
Python
…
…
Comparing the stacks
Major security vulnerabilities reported
One of the buy CVE-2000-1061 - execute arbitrary commands via a malicious web
page or email
Java Authentication and
Authorization service (JAAS)
To verify that a user is a subject and granting the user certain
principals; "who you are."
The JAAS authentication component provides the ability to check
who is currently executing Java code, regardless of whether the code
is running as an application, an applet, a bean, or a servlet.
Class file and Cs file
With almost every form, we write a cs file which handles the
events.
.class files does same thing in Java’s web application which is
placed in the WEB-INF classes folder.
Security features Comparison
Cryptography
Good .Net
Good Java
Heavily relies on
windows
All providers are to be
signed by the CA,
Architecture dedicated
to the US law
Cntd..
Secure Communication
Fair .Net
Very Good Java
Platform
No support besides IIS,
some
samples available
JSSE as a standard
component of
JDK
Web Services
Up to date support of WSA
Only supported by external
vendors
Choosing between Java and .Net
The ultimate choice usually depends not on technical superiority, but
on:
cultural/”religious”/political preferences
Skill set of your developers
Customer preference
Vendor relations
References
Websites :
http://vsbabu.org/mt/archives/2003/09/05/slashdot_java_vs_net.html
http://www.cgisecurity.com/lib/J2EEandDotNetsecurityByGerMulcahy.pdf
http://diuf.unifr.ch/softeng/seminars/SE2003/buchmann/htmlpaper/index.html
Book :
Java Security - By oaks