Boiled Down to Basics
|The Software Engineers' Picks
||Java or .NET
|Code Containment and Execution
||App domains are less permeable.|
|Code and Data Protection
||Java's more flexible; .NET offers Windows features.|
||Java is the "hands down" winner here.|
|Code-based Access Control
||.NET seems to have learned a lot from Java security.|
|Role-based Access Control and User Authentication
||JAAS is better than what's available on .NET.|
|Auditing and Tracking
||Neither offers much support; both are weak in this sense.|
Both platforms provide sound designs and deliver similar functionality, including their allowance for plug-in components, but they have inherent differences due to their vendor/OS bindings. .NET binds tightly to the Windows platform for many of its security services, while the Java platform is specification-based and platform independent. Of course, any sizable project using Java or J2EE products will invoke vendor-specific functionality, but Java's ability to be customized generally translates into better flexibility. At the same time, .NET is stronger out of the box in many aspects because it offers Windows security features by default.
A significant drawback for of Java is having many bodies participating in its design process, which leads to an inefficient, piecemeal evolution of specifications. Java specifications end up needing custom features before they're of any use. .NET's security is more streamlined and cohesive by comparison because its design and implementation are centralized. And unlike past Microsoft platforms, .NET shows evidence of having been designed with security demands in mind.
As the more mature technology, Java does offer more stability. Various enterprise Java products have been deployed, tested, and verified for years on multiple platforms by developers and users all over the world. Conversely, .NET just came into the world after about a year of extensive beta testing. Only now, after full release, will its architecture really be subjected to true field tests by the programming community at large, which inevitably will lead to the discovery of security design flaws and programming bugs.