C++博客-Legend-Will-文章分类-My English

C++博客-Legend-Will-文章分类-My Englishhttp://www.cppblog.com/Legend/category/7194.htmlTo Toward My Dream And Enjoy My Lifezh-cnFri, 18 Jul 2008 22:49:31 GMTFri, 18 Jul 2008 22:49:31 GMT60Java vs .net part1(转)http://www.cppblog.com/Legend/articles/45110.htmlSunshineSunshineSat, 22 Mar 2008 07:03:00 GMThttp://www.cppblog.com/Legend/articles/45110.htmlhttp://www.cppblog.com/Legend/comments/45110.htmlhttp://www.cppblog.com/Legend/articles/45110.html#Feedback0http://www.cppblog.com/Legend/comments/commentRss/45110.htmlhttp://www.cppblog.com/Legend/services/trackbacks/45110.html第一部分安全配置和代码封装
安全配置
两个平台的配置都是通过XML或纯文本文件，两个平台最大的区别在于处理安全配置体系的方式不同。
在.NET平台，有图形接口和命令行二种方式来修改安全配置参数。Mscorcfg.msc是图形接口方式，Caspol.exe提供了命令行方式，适用于批处理或配置文本。
代码封装：检验
JAVA 和.NET 的Common Library Runtime (CLR) 都实行内存安全或类型安全的保护机制，在这些平台开发的应用的安全性也是可以检验的。他们的实现机制有很大的不同。
在.NET， CLR总是执行编译好的代码，它不解释代码。但是在中间语言（IL）被编译之前，编译器会有验证和检验的步骤。第一步是检查文件的结构和代码完整性；第二步包括一些扩展的检查，内存安全、堆栈跟踪、数据流分析、类型检查等。在运行阶段，由VES (Virtual Execution System) 来负责安全性检查和出错意外情况处理。
在JAVA平台，JAVA虚拟机（JVM）负责类的载入、链接、检验和执行。对于已经编译和优化的代码，JVM也用二个无条件调用堆栈来保留最初的字节代码信息。
小结：和.NET不同，JVM的默认设置是不检验本地代码。另外，JVM保留最初的字节代码供运行时检查，而.NET把静态分析和运行时插入检验代码相结合。
代码封装：应用隔离
在.NET，域隔离建立在内存安全机制的基础上，不同的域不能直接访问彼此的地址空间，只能通过.NET远程通信机制访问。
在JAVA平台，应用隔离是通过ClassLoaders 和 ProtectionDomains 相结合来实现的，安全类加载是JVM安全机制的基石。
小结：.NET的 AppDomains 就象操作系统的进程一样，使用起来比JAVA的 ProtectionDomains 更直接、容易一些。
代码封装：语言特征
两个平台基本上差不多，.NET在灵活性上稍微好一点。
总结：
JAVA在安全配置上有较多的优势，.NET在代码封装的选择性和易用性好一些。
第二部分加密和通信
加密法：概论
.NET的加密法主要基于CryptoAPI 和相关扩展。大多数有关加密的类都在System.security.Cryptography, X509Centificates 和XML中。.NET利用基于流的模型来完成加密传输，所有的算法都被默认为最高的安全级别。.NET也允许用户自己在 machine.config 中定义自己的算法。
JAVA平台的加密算法分二个部分：Java Cryptography Architecture (JCA) 和 Java Cryptography Extension (JCE)。 JCE的出口受到有关法律的限制。如果要使用用户自己的加密算法，必须得到认证机构（SUN 或 IBM）的认证。
加密法：算法
.NET主要提供了下面几大类加密算法：非对称算法、HASH算法、对称算法、随机数生成法。
JAVA提供的加密算法更多，但是较少第三方厂商可以在JAVA中提供自己的算法。
安全通信
SSL已经是事实的传输安全的工业标准了。JAVA和.NET都支持最新版本 SSL 3.0。
安全通信：平台
.NET只在基于IIS的应用中使用SSL来保护HTTP传输，对于非IIS应用，.NET不能保护传输中的数据。
在JAVA中，JSSE （Java Secure Socket Extensions）提供了平台级的服务，保证基于TCP/IP的通信安全。
除了IIS，.NET没有提供任何其它平台级的通信保护的标准方案，但是JAVA在这方面提供了全套的解决方案。
安全通信：应用
.NET通过WSA （Web Service Architecture）和 WSE (Web Service Extension) 包来提供最新的WEB服务安全保证，JAVA目前还没有提供这方面的支持。
总结：在加密方法上，JAVA和.NET基本没有太大的差别；在通信保护方面，JAVA 比.NET提供了更多的选择方案；但是在WEB服务安全性上，JAVA明显比.NET落后一些。
English Translations below:
The First Part :Secure Scheme and Code encapsulation
Secure Scheme
Both of the two platform's Setting are through XML (Extensible Markup Language ) or
plain text, The Biggest Difference Between These  lie in dealing with Secure
Settings and System.
In the .NET platform, having GUI and Command Line these two mode change Secure
Settings Parameter . Mscorcfg.msc is the GUI mode, Caspol.exe support Command Line
mode,Being the same  with processing bath or Settings Text.
In the Java platform, java only provide with GUD tools (policytool.exe), and the
difference between Java and .NET is that Its  Target Object(Settings Files)'s name
and location are not fixed.
.NET have defined different extension's Secure Setting Files:System Range,Local
Range,local User Range. If there is an Confliction , The Parameter in small Range
have the
PRI in principle.
JAVA and J2EE's nuclear Settings Files are both locate in Defined Location, But The
Extend Settings Files's Difference are range from manufacturer to manufacturer.
Code encapsulation:Verification
JAVA and .NET's Common Library Runtime both execute  the protection of the Memory-
safety or  the Type-safety, It's varifiable in these Platform's developed and
applied security. And The Execution mechanism are very different.
In the .NET ,CLR are always Execute The code That  have already Translated, it
won't interpret the code, but before the interlingua is translated,the Interpretor
will have the Verification and validaion's step.the first step is to examine the
structure of the files
and the integrality of the code ; the second step is to contain some extend
examination, memory-safety ,stack-track, the analysis of the data flow, Type-
checkup and so on.In the Execution phases,the safty-checkup and error transaction
is seen to VES(virtual Execution System).
In the java platform. java virtual machine in control of the load of the class,
line of the class,verification of the class, and the execution of the class, For
the code that have already translated and optimized , JVM use two uncondition to
transfer track and save the initial byte code message.
Brief Summary: Different from .NET ,JVM's default Settings is not to verify local
code.In addition,JVM save the initial byte code that will be used for verification
when it is being Execute, instead, .NET combine the analysis of the static state
and the insertion of the  verify code when in the exectution.
Code Encapsulation:Language Speciality
Both of these two Platform are almost the same,.NET's agility are a bit better
Sum-up
JAVA's Safe settings  have more advantage ,but .NET 's  selectivity and easy-use
are btter.
The second Part encrypt and Communication
Encrypt Method:Conspectus
.NET's Encrypt Method is mainly base on the CryptoAPI and correlative extendsion. A
bulk of the  Encrypt Class  is in the System.security.Cryptography,
X509Centificates  and XML . .NET use the model which base on the flow  to complete
the entrypt transmission, all the arithmatics are acquiescently Considered as the
highest safty level.Also .Net  allow the user  to define the Arithmatic Yourself.
JAVA platform's entrypt Arithmatic is divided in to two part:Java Cryptography
Architecture (JCA) 和 Java Cryptography Extension (JCE). JCE's Export are
restricted by the ralative law.But if you want to use the arithmatics yourself ,you
must have the recognization of The SUN  and  IBM.
Entrypt Method: Arithmatics
.NET mainly provide several Entrypt Arithmatic Type:Unsymmetry Arithmatics,HASH
Arithmatics
random number Generation Arithmatics.
JAVA 's entrypt Arithmatics  are   more than Those of the .Net , But very small
amount of the manufacturer can provide Their Arithmatics in JAVA.
Safe Communication
SSL (secure socket layer) have already become the factual and  Transfer-safety
industry standard.JAVA and .NET both support the up-to-date edition SSL 3.0.
Safety-Communication:PlatForm
.NET can use SSL to protect HTTP transmission only base on the Application of the
IIS,but for the non-IIS application ,.NET can not protect the data which is
transfering .
In the JAVA,JSSE(java secure socket extension) provide with  platform level's
services, which can Protec-tty base on the TCP/IP.
Besides IIS, .NET doesn't provide with standard scheme of  any other platform level's Communication Protection, but Java provide with The whole Solution in this aspect.
Safe Commnunication : Application
.NEt provide with the up-to-date Web Service guarantee through WSA (Web Service Arichitecture) and WSE(Web Serve Extendsion) Package,But Java never provide with support in this aspect at present.
Summarization:In the Methods of the Entrypt, it is not a bit distinction between JAVA and .NET,In the communication-protection aspect ,Java have more choice than .NET do; but in the WSE , java drop behind .net evidently.

Sunshine 2008-03-22 15:03 发表评论

]]>