Java Vs .Net

Presented By,

Naveen Kumar Ratkal

Outline

CLR VS JVM

Java Byte Code and MSIL

Comparing the stacks

Major security vulnerabilities reported

Java Authentication and Authorization service (JAAS)

Class file and Cs file

Security features Comparison

Java or .Net

JVM vs. CLR

JVM designed for platform independenceSingle language: Java (?)

A separate JVM for each OS & device

CLR designed for language independenceMultiple languages for development

C++, VB, C#, (J#)

APL, COBOL, Eiffel, Forth, Fortran, Haskel, SML, Mercury, Mondrian, Oberon, Pascal, Perl, Python, RPG, Scheme, SmallScript, …

Impressive usage of formal methods and programming language research during development

Underlying OS: Windows (?)

CLR vs JVM

C# ManagedC/C++

Lots of otherLanguages

VB.Net

CLRSecurity

Runtime Services

MSIL

Windows OS

Java

JRE (JVM)Security

Runtime Services

Byte Codes

Mac Unix LinuxWin

Both are ‘middle layers’ between an intermediate language & the underlying OS

Java Byte Code and MSIL

Java byte code (or JVML) is the low-level language of the JVM.

MSIL (or CIL or IL) is the low-level language of the .NET Common Language Runtime (CLR).

Superficially, the two languages look very similar.

JVML:iload 1iload 2iaddistore 3

MSIL:ldloc.1ldloc.2addstloc.3

VB

C+

+C

#P

erl

Pyth

on

…

Vis

ual S

tud

io.n

et

Win32

MSMQ, COM+, IIS, WMI, AD, ADAM, Indexing, UDDI, etc.

CLRCLR

Base Class LibraryBase Class Library

ADO.NETADO.NET

ASP.NetASP.Net

Win32, Unix, Linux

JMS Apache

J2EE App Servers Websphere, Weblogic , Tomcat, etc.

Java runtimeJava runtime

J2EE Class LibraryJ2EE Class Library

Comparing the stacks

JDBCJDBC

Servlets Servlets

JSP JSP

StrutsStruts

BEA

Web

log

ic

Web

sh

pere

Stu

dio

Eclip

se

…

Java

Major security vulnerabilities reported

One of the buy CVE-2000-1061 - execute arbitrary commands via a malicious web page or email

Java Authentication and Authorization service (JAAS)

To verify that a user is a subject and granting the user certain principals; "who you are."

The JAAS authentication component provides the ability to check who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.

Class file and Cs file

With almost every form, we write a cs file which handles the events.

.class files does same thing in Java’s web application which is placed in the WEB-INF classes folder.

Security features Comparison

Cryptography Good .Net Good Java

Heavily relies on windows

All providers are to be signed by the CA, Architecture dedicated to the US law

Secure Communication Fair .Net Very Good Java

Platform No support besides IIS, some

samples available

JSSE as a standard component of

JDK

Web Services Up to date support of WSA Only supported by external

vendors

Cntd..

Choosing between Java and .Net

The ultimate choice usually depends not on technical superiority, but on:

cultural/”religious”/political preferences

Skill set of your developers

Customer preference

Vendor relations

References

Websites :http://vsbabu.org/mt/archives/2003/09/05/slashdot_java_vs_net.htmlhttp://www.cgisecurity.com/lib/J2EEandDotNetsecurityByGerMulcahy.pdfhttp://diuf.unifr.ch/softeng/seminars/SE2003/buchmann/htmlpaper/

index.html

Book :Java Security - By oaks