AJ's blog

February 23, 2007

Security analysis on WCF for the German Gouvernment

Filed under: .NET, .NET Framework, SOA, Software Architecture, Software Development — ajdotnet @ 10:54 pm

Something I was waiting for but nearly missed: Michael Willers has announced the security analysis on Windows Communication Foundation he and his collegues did for the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).

I had the luck to hear Michael talk about this stuff last october. There where two interesting points in his talk:

  1. He took us through some threat modelling. That may be intersting from a security point of view but what impressed me more was that this was the most sound and structured architecture review I ever saw.
  2. Michael emphasised the fact that developing a secure application was only the first part of the deal. Deploying it — or more to the point secure deployment — turned out to be a challenge of its own. Consequently the statement on his blog:

“The results of this study demonstrates how to implement and securely deploy service oriented distributed systems on the Microsoft .NET Platform. “

Documentation and code (under GPL) can be obtained at the BSI site:

“Beside the complete source code of the WCF reference application the BSI distributes manuals covering WCF specific architecture aspects, authentication, data access, development autonomy, distributed error handling, the hosting environment, transport security, securing resources, and secure service set-up and installation.”

It’s definitely worth a closer look.

UPDATE: Microsoft has provided some of the results as templates and libaries for download. See here (Michael’s announcement) and on the MSDN CAS Tools & Best Practices site (both in German, sorry, but the downloadable content should be in english).

PS: The BSI is “the central IT security service provider for the German Government.” (http://www.bsi.bund.de/english/index.htm)

PPS: The usage of voting machines for elections in Germany does not seem to require IT security :evil: , therefore they are checked and certified by the “Physikalisch-Technische Bundesanstalt, PTB“.

“The Physikalisch-Technische Bundesanstalt (PTB) is the national metrology institute providing scientific and technical services. PTB measures with the highest accuracy and reliability – metrology as the core competence.” (http://www.ptb.de/en/zieleaufgaben/dieptb.html).

PPPS: And by the way: Germany uses Nedap machines, the ones you can play chess with…  :twisted:

That’s all for now folks,
AJ.NET

kick it on DotNetKicks.com

February 17, 2007

When are we going to see Glasnost?

Filed under: .NET, Java, Software Developers, Software Development — ajdotnet @ 12:13 pm

There is a world in which glasnost has never happened. The iron curtain is still in place. The so-called free part of the world — in all its inconsistent chaotic beauty — stands against the firmly organized part where some kind of party decides upon the future development and people more or less follow those directions. There is the occasional traitor and spy games are not unusual. But the average citizen in each block does not care about the other side and does not know very much about it. If asked however, he would testify to the worst about the people on the other side. Sometimes those bad asumptions are even actually true which is regularly used by some group in the own camp to propagate FUD and to cement a stable political system.
Let’s just hope “The Day After” does not happen anytime soon….

Sounds like a description of the cold war in the ’80s? Well, actually I am refering to the IT world today, the opposing blocks being the Java and .NET communities. You think that’s exaggerated and ask why I have that impression? Well, there’s proof after proof after proof…

:!: Have a look at the comments in major IT newstickers (german readers have a look at www.heise.de) and the onging flame wars. (Those may be just proxy wars.)

:!: Have you ever talked to people form the other camp? (If not, why not?) Have you been confronted with the usual arrogances and prejudices?

  • “One cannot build software on that plattform; developers working on that plattform are simply too stupid to realize the truth; …”
  • “Monstrous, inperformant, over-engineered, software molochs; arrogant oo-fanatics; …”

Sounds familliar? Any problem placing the “Java” or “.NET” tag on those lines?

:!: So far my favourite is a java guy who stood in an office (team office for a .NET project) and announced (allegedly to a collegue but loud enough to be heard on the next floor) “one cannot build software with Microsoft!”. He did that after talking to his collegue and in the process stating that he did not have a clue about (ASP).NET. Single-minded, arrogant idiot.

:!: The final experience that led to this post was that little research I did for the last post. Although a little less religious, I realized that the level of ignorance of the other side is daunting. Some examples:

Java minded people:

  • “The complexity of JEE is minimal when compared to .Net “. Nonsense. Just compare “Java EE Technologies” with “.NET Technology Overview“. The complexity of the plattform is all in all comparable, the complexity of the various specifications of Java EE is considerably higher than the respective .NET documentation.
    (I didn’t include WinFX parts in the equation because there is no counterpart on the Java side; see “.NET Framework 3.0: Clearing the Confusion” for infos on that topic.)
  • “I see by far more Java services than .Net.”. Well, I see more .NET services. Perhaps that’s because I work mainly in .NET and you in Java dominated environments? Actually I see more none-service based integration (database imports, ftp file exchange, …) …
  • “Microsoft environments are typically more homogenous, which requires less integration thereby reducing the benefits of SOA.”. Nonsense. In enterprise environments (where else would I need a notable degree of integration and SOA?), Java usually has the bigger installation base on servers, i.e. more integration demand.

.NET minded people:

  • “… the core of J2EE (EJB) was never really designed for the web, and the whole async ethos. “. Nonsense. EJB is as much designed and suited for the web as COM+ is. Both are component management systems that gained momentum with the success of the internet. The were the very means to enable the development of scalable web applications. Asynchronicity is in addition a core part both systems (message driven beans in EJB and queued components in COM+).
  • “Java EE turned out to be about as rigid as CORBA.”. Yes, sure. Ever heard of the “Java Community Process”? Was it possible to use just certain parts of CORBA and replace others?
  • “Really, compared to .Net J2EE development is pain.”. It is? Did you ever use J2EE with a decent IDE, say Eclipse? Did you ever try to write a .NET application without Visual Studio? Why did Microsoft change the build system to MS-Ant, sorry, MSBuild?
  • “So far .Net has avoided becoming rigid – it is still an open platform as to allowing many different approaches to achieve a solution.” An open plattform? Don’t you confuse implementation with usage? Who decides on how to evolve the .NET Framework and Visual Studio?

So much for the people living in both blocks. But there is another thing which is again just like in the cold war: Despite public appearance and various cold and hot proxy wars, there is considerable cooperation between the opposing camps. Politically each contributes to the welfare of the other and draws bennefits as well as self-affirmation from it. And talking about “the powers that rule”, IBM and Microsoft work very well together if it suites their needs, see http://ws-i.org/ for example. 

So, how far can the similarities be stessed? What would “the fall of the wall” in IT look like and who would be the winners and loosers? Would we have to face similar problems as we had in the 1990s, i.e. the struggle betweeen Sun and IBM? Given these potential problems and the political situation today, do we really want the wall to come down? (Metaphorically speaking, I’m glad the real wall came down!)

Of course there are positive examples as well. During one Java project I worked with two Java guys who did not have a clue about .NET. But they were open minded and just hadn’t had the opportunity to look into the stuff yet. Actually they were surprised that the .NET Framework and some Visual Studios versions are free. They gave it a try, they saw the pros and cons, they were even impressed by some aspects. They never seriously considered switching to .NET but we had some interesting discussions about different technical and “cutural” aspects.

I guess I should stop here, perhaps go to listen to some music. “Russians” (Sting) would be fittingly, or “Witch Hunt” (Rush)… .

PS: This is my last excursion into Java related areas. I’m going to focus on .NET again, it’s less political there. 

That’s all for now,
AJ.NET

kick it on DotNetKicks.com

February 10, 2007

Java EE, R.I.P.?

Filed under: Java, SOA, Software Architecture, Software Development — ajdotnet @ 12:21 am

After the last post I still owe you an opinion about “Analysts see Java EE dying in an SOA world“. Well, here it is (perhaps a little overstated):

This article is fundamentally flawed. It confuses the SOA architectural approach, SOA environments and frameworks, services and service implementations. It implies wrong architectural attempts to prove the inability to deliver something upon it. It ignores todays tool ladden development environments that manage complexity quite well. It even dismisses Java as a plattform — for reasons that would also apply to .NET –, at the same time contradicting itself.

I picked just some points to justify may statements:

  • “The Java EE world is fundamentally not built for SOA”. SOA is about architectures that (technically speaking) deal with message exchange patterns between independend services. Java EE on the other hand is an implementation technology for those services, i.e. it covers the inner workings of a service and its interface. For this Java EE is perfectly suited. Confusion of SOA and service implementation.
  • Also the same paragraph states that “Java is specifically a framework for implementing n-tier architectures” which has been the architecture of choice for scaleable and reliable web applications even before they have been adorned with SOAP interfaces. Contradiction.
  • “Object orientation (OO) as implemented in Java EE does not fit well with the service orientation that is the heart of SOA”. This implies that the OO approach is used at the SOA level, i.e. accross services. This is exactly what remote object technologies (CORBA, DCOM, RMI) tried to do. They failed — hardly any news at all — and services entered the stage to address the respective problems. Implication of wrong architectural attempts. (Again, this does by no means rule out Java as implementation technology for services itself.)
  • “It’s the method in which you’re exchanging the data that matters, not the programming model behind the data.” So, if the programming model does not matter from a SOA perspective, why dismiss any programming model at all? Why argue about virtual machines or portability in the first place? Contradiction.
  • “You’ll see that Java EE focuses on providing a framework for scalable n-tier architectures like those that large, transactional Web sites require”. Which is also exactly what business services need. Contradiction or just lack of understanding? 
  • “However, if you were to set out to create an enterprise-class framework for SOA…” Now what is that? A framework to unify the service implementations? And I thought “the service orientation makes the need for a unified platform such as Java EE irrelevant.” Contradiction. Or does this refer to some kind fo SOA plattform, say an ESB? Who just said “it’s not what’s serving up the communications that’s important, it’s the communications itself.” Contradiction. And by the way: The only noteable SOA plattform not built on Java is MS BizTalk.

Now, I can understand that analysts riding the SOA hype need to attract attention and statements that strong do that especially well. But these staements do not do them credit, rather they show some vital lack of understanding of SOA* — or deliberate obfuscation. Which one, I cannot say. I can only hope that they have been quoted distortingly or out of context.

* It cannot be lack of understanding of Java EE since one of the quoted analysts is an author of well regarded books on Java (J2EE Web Services and Enterprise JavaBeans 3.0 — which I own myself. Sic!)

As I said: This may be overstated, but it’s straight to the point. And it’s only an opinion, no insult intended!

So, well… . I — yeah, that is me, the one who usually signs its posts with AJ.NET – can firmly stand up and announce publicly and unequivocal with loud and clear voice:
Java EE ist still alive and kicking! Any reports allegedly anouncing his death are wrong.
As we say in german: “Totgesagte leben länger…” (proverb, something like “people declared death/written off live longer…”).

Please note that I’m not saying that the role of Java EE (read EJB) is not changing: Au contraire! It is quite obvious that lightweight approaches gain more and more momentum in situations where EJB is overkill. But there still are complex demands that ask for transactional and component life time services, security, operations support, etc.. I guess it boils down to “use the right tool”. However, the fact that our toolbox has more items in it does not mean one should throw away the “older” tools. Usually they got old because they had value.

That’s all for now folks,
AJ.EE ;-)

February 2, 2007

Will somebody please defend Java EE?

Filed under: Java, SOA, Software Architecture, Software Development — ajdotnet @ 8:50 pm

Some time ago a fellow programmer pointed me to “Analysts see Java EE dying in an SOA world” and asked about my opinion. Since then it always lingered in my mind to shape my thoughts into a blog post… — but that will have to wait!

Since I did not want to do the nth repetition of things already said before, I began with searching the web. Given the nature of the article and the fact that it is 6 months old, it is not surprising that I found more than a few pages. Google lists ~400 hits. What I found to be quite interesting is what the various replies said — and what they didn’t say.

The immediate replies fall in three different categories:

  1. The “me too” replies: They simply link to the article or quote and rephrase in the attempt to explain what was clear in the first place. They don’t offer an own opinion. This is the biggest group in the set of replies.
  2. The “that is not true!” and “how dare you!” replies: They simply state that the article is wrong and that they would have never thought such insolence possible (they tend to be personally offended). What they don’t do is to back up their opinion. Those replies are numerous as well.
  3. The by far smallest group is the group of more or less usefull replies, replies that offer an opinion. The opinions vary in their support and rejection of the article and I certainly don’t agree with all those opinions. But that doesn’t matter, I can live with that. Different opinions are a good thing in itself. One of the better replies is probably “Is JAVA EE Dying with SOA Adoption?“.
    However! All those replies picked just one or other aspect of the article. I could not find one that addressed the article as a whole, none that mentioned the fundamental problems*.
  4. In the interest of fairness I have to admit that there is a fourth group — luckily not all too numerous –, the “I always knew it!” replies from the .NET camp (e.g. this one).  

Far more can be gained by not looking at immediate replies but at the discussions triggered by them. I found particularly those forums and comments to be … well, “interesting”:
http://java.meetup.com/15/boards/view/viewthread?thread=2021011
http://www.infoq.com/news/Java-EE-Demise-Report
And of course the obvious suspects:
http://www.theserverside.com/news/thread.tss?thread_id=41283#213270
http://www.theserverside.net/news/thread.tss?thread_id=41325

This is a very sorry result. A controversial article that is sure to draw attention actually got very little direct response in terms of hard facts. No reply I found was able to dismount the article. To get better arguments I had to look at various discussions. Those discussions however contained all kinds of opinion: wrong and right, objective and religious, informed and misled — and of course the usual share of off-topic and “unpleasant” replies.

Controversial articles are a good thing. They may show new perspectives, revive deadlock situations, or just generally shake up things a bit. If the dust settles down, people should have at least a better understanding of the topic. However (in this particular case) the debate was held in relatively closed communities, not in the open limelight in which the article was placed. People just reading newstickers or otherwise not part of the respective developer communities (usually the ones with the money to spend on projects) won’t even know it took place. That’s a little unsatisfying.

PS: Please note that I checked only a part of the search results. If I missed the one article that really gets to the point, please provide that link. Thank you.

* just stay tuned, I’m not finished yet :P .

That’s all for now folks,
AJ.NET

The Shocking Blue Green Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers