290 likes | 386 Views
Microsoft .NET Initiative. CSE 333 Fall 2002. Keith Bessette Hardik Dav é Jaladhi Mehta. Introduction and Overview. What is .NET ? History and Evolution of .NET What is .NET made up of ? Scope of the paper .NET languages and Java Database Connectivity using .NET.
E N D
Microsoft .NET Initiative CSE 333 Fall 2002 Keith Bessette Hardik Davé Jaladhi Mehta
Introduction and Overview • What is .NET ? • History and Evolution of .NET • What is .NET made up of ? • Scope of the paper • .NET languages and Java • Database Connectivity using .NET. • Security Issues Concerning .NET and Java • Interoperability: Middleware and Languages
.NET Languages • Supported Languages in .NET • C# Background C# VS. Java
C# vs. Java – Differences and Similarities • Class Hierarchies • Both have single rooted class hierarchies System.Object and Java.lang.object • Both classes have methods sharing some similarities and difference • Execution Environment • JAVA compiled to bytecodes which are interpreted or natively compiled and run in managed exec envt JVM • C# code gets compiled to IL which runs in CLR C# code is never interpreted, it is always natively compiled C#’s IL is more type neutral
C# vs. Java – Differences and Similarities (Continued) • Object Creation • In JAVA objects are Heap based • In C# objects are Heap based as well as Stack based (called value types) • NameSpaces • In JAVA packages reflect the physical directory layout • C# has complete separation of physical packaging and logical naming
C# vs. Java – Differences and Similarities (Continued) • Access Modifiers • Serialization and Documentation • C# supports XML format as well as binary format for serialization while Java only supports binary format by default. • JAVA uses Javadoc while C# uses XML for documentation
C# vs. Java – Differences and Similarities (Continued) • Deterministic object cleanup • C# supports dispose() method • C++ like destructors without memory allocation woes Best of both worlds • Pointers and unsafe code • C# can have pointers when it is running in unsafe mode • Program must have full trust granted earlier • Unsafe keyword, /unsafe compiler switch • Fixed keyword to avoid the garbage collector moving the variable during the mark and collect algorithm phase
C# and interoperability • Platform interoperability • How C# and JAVA run on various platforms • JAVA is a single language platform • C# supports multiple languages as long as they conform to CLS • JAVA has better portability for various o/s and platforms • C# currently runs on only windows platforms • .NET platform files complied to PE files
C# and interoperability • Standards Interoperability • How both languages access standards like database systems, graphics library, etc.? • C# and JAVA both don’t scale too well due to Microsoft and Sun’s business motivations • C# has been submitted to ECMA to derive to a standard • .NET is sort of an open platform
C# and interoperability • Language interoperability • Level and ease of integration with other languages • JAVA supports language interoperability through JNI, CORBA • .NET has language independence • .NET supports any languages as long as they conform to CLS and CTS
Database Connectivity • Database connectivity in .NET • Different APIs for connecting to the Database. • JDBC was introduced by Sun Microsystems in 1996 • History of ADO and JDBC.
Presentation Tier Windows Forms MyApp.Exe DataSet Business Tier Data Tier InternetIntranet Web Forms Data Object (Class) IE Data Adapter DataSet XML DataSet Data Adapter Business to Business (BizTalk, for example) ADO.NET Architecture • Three Level Architecture • XML and DataSet as objects of interaction
ADO.NET Architecture • Three Layers of Architecture • RecordSets, Statements – Connection and DriverManager
DataSet DataTableCollections DataTable DataRowcollection DataColumncollection ConstraintCollection DataRelationCollection Fig 4.3 ADO.NET DataSet Offline DB Access • Primitive offline DB access using ResultSets in JDBC • Complete offline access in .NET using DataSets • ADO.NET’s DataSet Architecture • DataSet functionality • XML as a method of choice.
.NET developed Application SQL DB Oracle DB XML XML Interoperability with XML • ADO.NET’s powerful support for XML • XML functions in DataSets and ADO.NET • Oracle’s support for XML
Security Issues concerning .NET and Java • Secure development and execution environments • CBAC: permission for code to access resources • RBAC: permission for users/roles to access resources • Code verification and execution: semantics, bytecode, safe execution environment • Secure communication: pass data/messages securely • Code and data integrity: no unauthorized code modification, cryptography
Code Based Access Control • CBAC is the security that allows and prevents a piece of code to access resources • Evidence Based Security, Permissions, Security Policy • CLR reviews evidence of an assembly • Determines identity from evidence • Looks up and grants permissions based on the security policy for that assembly identity
Evidence Based Security • The CLR examines assemblies to determine their origin • CLR looks at metadata for: • where the code originate • creator of the assembly • URL and zone the assembly came from • CLR verifies the association of metadata w/ an assembly
Permissions • Permission: assigned to a piece of code, the allowance to execute a certain method or access a certain resource • Assemblies request permissions to execute, and the CLR answers at runtime • Permissions are grouped into sets w/ the same level of security and trust • Assembly from Internet zone maybe granted Internet permission set for untrusted code
Security Policy • SP is set by an admin to make permission decisions for assemblies and domains • Three policies: Total Enterprise, Machine executing code, Requesting User • Any policy file may partially restrict permissions of another policy file • SP groups code into hierarchal categories based on identity determined by the CLR • SP determines permissions for assembly after code is grouped and categorized
Java CBAC vs. .NET CBAC • Permissions are grouped into protection domains and associated w/ groups of classes • Permissions are grouped into sets and assoc w/ code groups • Classes are grouped by their origin like Code is categorized by assembly’s zone • No Security Manager by default in Java • J2EE has 2 SP types: executing machine & requesting user • .NET provides a lot of standard permissions • Stronger credentials needed for permissions in .NET (evidence) • SP files are more configurable in Java, but doesn’t help w/o all perm sets
Role Based Access Control • .NET applies ‘Principal’ term to role membership • .NET uses many plug-in authentication modules • Windows: windows apps using Security Support Provided Interface • Passport: Microsoft implemented centralized authentication service • Form based: HTML logon form from ASP.NET; identity cookies • IIS Server: built in mechanisms like Basic, Digest, X.509 certs w/SSL • Impersonation: allows a user to use another identity to access another application
Java RBAC vs. .NET RBAC • .NET supports both imperative and declarative role permission checking • Java servlets provide declarative checking at the servlet level • EJB’s provide declarative checking down to method level • JAAS provides imperative checking within method level • .NET flexibility is limited severely • IIS is only supported server of .NET framework • Passport requires users to be members of Microsoft Passport service
Code Verification and Execution • Prevent system weaknesses exposure by application errors; malicious or not • .NET and Java perform security checks during code execution • Stack integrity, bytecode structure, buffer overflows, semantics • Application Domains have static boundaries • Protection Domains have dynamic boundaries • All security checks to verify code are done on managed code • Both .NET and Java allow unmanaged code to bypass the CLR and JRE
Secure Communication • Secure Communications are done at the application level • Both platforms support SSL and TLS • .NET apps can use Windows SSPI and IIS • Java provides Java Secure Sockets Extensions (JSSE) • JSSE is very flexible, can be configured easily for RMI
Secure Code and Data Protection • .NET uses Windows Crypto API • Java Crypto Extensions (JCE) and Java Crypto Architecture (JCA) • Signed distribution files are necessary for source verification • .NET uses strong named assemblies signed with an RSA keypair • Java’s JAR files are sealed and each class is signed • Java’s manifest files don’t require version info • Once again .NET is tied to Windows so Java is more flexible • Crypto algorithms are based on published standards
Middleware Interoperability: COM • .NET can access COM client as COM can access a .NET client • Runtime Callable Wrapper (RCW) wraps the COM object • COM Callable Wrapper (CCW) wraps the .NET object • System.Runtime.InteropServices.ComVisible limits what COM client can call
Middleware Interoperability: .NET Remoting vs. RMI • .NET creates ‘Channels’ to remotely access objects; HTTP, TCP • .NET does allow ability to create custom channels; IIOP • RMI creates sockets to remotely access objects; IIOP, JRMP • .NET doesn’t have a naming registry for services
Middleware Interoperability: Corba • Corba is one of the most used middlewares today • Microsoft doesn’t support IIOP, Java does • Create custom channel using TCP/IIOP • Use wrappers, connect to a Corba object via a COM object