Women in Technology

Hear us Roar

  Java vs. .NET Security, Part 3
Subject:   What is it that ".NET lacks completely"?
Date:   2004-07-09 23:12:47
From:   rayburns
Huh? The following comment on page 3 makes no sense to me and I think it may be based on a misunderstanding:

"Java defines very flexible approach to adding and overriding default policies -- something that .NET lacks completely."

This conclusion doesn't seem to have anything to do with the preceding material on the page. That page gives four different ways to override default security in Java, all of which are present in NET Framework as well. Did anyone understand what the author is claiming NET Framework lacks? Here are the things he mentions earlier on the page:

1. He mentions passing arguments on the command line. Command line parameters are generally passed in from scripts (Windows programmers, think ".bat" files). The NET Framework equivalent of editing the java startup script is to edit the App.config file, which gives the execution parameters for a given application. If passing security settings directly from the command line is actually desired (but why?), it is only a few lines of code to copy the parameters into a new App.config file and use it.

2. He explains how an arbitrary number of policy files may be loaded and merged in Java. The same is true in .NET, and is used by default for web.config files. In fact, this also allows you to define your own hierarchy of configurations with overiding rules, etc.

3. He describes the "grant" statement syntax. The functionality of Java's "grant" syntax is a subset of the functionality of the XML used in NET Framework, which can accept arbitrary serialized objects.

4. He talks about files being granted different security based on location. This works the same way in NET Framework, though it is not preconfigured by default, since there is a better way available.

Can anyone explain what the author was referring to? It seems that in this area .NET has all the functionality of Java and a whole lot more. Perhaps he was thinking of some other functionality he didn't mention.

Ray Burns

Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • What is it that ".NET lacks completely"?
    2004-07-12 09:44:01  dpiliptchouk [View]

    Ray, your comments are indeed based on misunderstaning:

    1. Remember the overall context where the command-line parameters mentioned? I talk about overriding default poilicy by passing cmd-line parameters for SECURITY POLICY files, not general "parameters". See also my reply to your comment on the first article to understand the issue.

    2. First: a hierarchy of web.config files is applicable to Web applications only. Secondly: again, we're talking about SECURITY POLICY files here, not general configuration. Lastly: anything can be built or added - it's important that Java provides this capability out-of-the-box.
    Configuration features in .NET are quite limited, and to provide any meaningful hierarchy, one'd have to do quite a lot of programming (Just for the record - I've gone through this first-hand, so I know what I'm talking about).

    3. I'm not sure what you objection was in this item.

    4. Again - both platforms provide this CAS feature, I never denied this.

    Please, if there's more misunderstanding, send me a message directly - this is not really a public forum to exchange ideas or clear questions.