Jeff Bounds

Systems Engineer
Sun Microsystems, Inc.
Agenda
• Sun ONE™ Overview

• Sun ONE Architecture

• Sun ONE Studio – Java IDE

• Sun ONE Application Framework

• Sun ONE Application Server

• Sun ONE Portal Server

• Sun ONE Identity Server

• Java vs .NET 1
The IT Advantage for ROA
Do More with Less
A New Role for IT
• Transform the business
• Optimize the value chain
• Move closer to customers

Customers Partners Employees

Services On Demand
Evolutio
n
Not Revolution
D.A.R.
T.
Sun ONE Architecture
Service Creation, Assembly and Deployment
Tools

Service Service Service

Integration Container Delivery
Access to Data, Runtime Connection
Applications and Environment Location
Other Services Persistence Aggregation
State Management Formatting
Content Delivery
High Availablity
Syndication
Applications/ Personalization
Core Web Services Caching
Synchronization
Web Services Application Management
Provisioning

Identity and Policy

Roles, Security, Privacy, Management, Monitoring, QOS

Platform
Operating System, Hardware, Storage, Network
Sun ONE Standards
Service Creation, Assembly and Deployment
UML, BPSS, WSDL, NetBeans

Service Service Service Throughout:

Integration Container Delivery HTML, XHTML,
HTTP(S), SSL/TLS,
UDDI, ebXML, JMS, J2EE WebDAV, SyncML, Java, J2SE, J2EE,
Java Connectors, SQL, RDF, RSS, WML, (EBJ, JSP, Servlets,
JDBC, CORBA, JavaMail, Applications/ cHTML, J2ME, MIDP, JNDI, JMS, ...)
FTP, BPSS, EDI Core Web Services JavaCard, VoiceXML JAX* (JAXM,
ESMIP, IMAP, POP, JAXR,
S/MIME, SMS, iCal, JAX-RPC, JAXB,
SIP, SIMPLE JAXP), SOAP,
WSDL, XML,
Web Services XSLT,
XML Schema, SAX
(see Right Column) DOM

Identity and Policy: Liberty, LDAP, vLIP, SP-DAN, DSML, UDDI, Italic = Emerging/
ebXML,
Future Standard
SASL, SAML, XACML, X.509, PKCS, PKIX, OCSP, CM, CIM-SOAP, WBEM,
Kerberos,
IKE, JAAS, J2SE Policy/Perms, JCA/JCE, P3P, XKMS, XML DSIG, XML Encrypt
Platform: POSIX, NFS, FTP, Bind, Sendmail, DHCP, TCP, IPv6,
Mobile IPv4, IPSec, GSS-API, PPP, Fibre Channel, SCSI, Infiniband
Evolution of Networked Computing

1
Scope of Sun ONE

1
Services on Demand

Services
on Demand
Services on Demand is an umbrella concept for delivering services
any time, anywhere, on any kind of client device. The concept
comprises:
– Internet Web Application delivery platform today
– Emerging infrastructure for basic Web Services
– A roadmap for enhancing Web Services for Federated
Commerce with identity services and contextual awareness
– Specifications for access by current and future deployment
environments: J2EE, J2ME, Jini, JXTA, Grid Computing, etc. 1
 Sun ONE Architecture:
Integrated, Integratable
Integrated Stack Integratable Stack
Service Creation, Assembly, and Deployment
Service Creation, Assembly, and Deployment
Applications/
Service Container Core Web Services

Service Applications/ Service

Core Web Services Integration Service
Delivery Integration
Service Service Container
Web Services Delivery
Web Services

Identity and Policy

Platform
Identity and Policy
Platform

• Two Audiences for the Architecture

– Enterprises and Service Developers
– Software Vendors: Gap Fillers, Competitors
1
Sun ONE Studio 4, Enterprise Edition

1
Sun ONE Studio 4
SOS EE

SOS CE
SOS ME(new)

www.sun.com/software/sundev/jde
1
 Sun ONE Studio today

April 2002
• Quantitative feedback 4/ 5 Stars
– Over 1,977,000 downloads
4/ 5 Stars
– Over 4.1 million distributions
March 2001
– Rave reviews and awards (JavaWorld, PC Magazine,
Software Development Online, InfoWorld)
– "We evaluated every Java IDE available and none offered the
Fortefor
flexibility and freedom of the Forte for Java product.”
Java
Tim Ferrell, IT Director McGee Corporation h
Oracle
JDeveloper

InfoWorld Review, April 2001

2001 Innovator Award

April 2001 1
Sun ONE Studio – based on an
Open Tools Platform
● Sun ONE Studio is based on the NetBeans framework -- an
open tools platform that can be extended by the developer
community
● Open source ensures APIs are not controlled by any one
vendor
● The IDE is a platform:
– Provides feature rich functionality
– ISV partners provide value added plug-ins that easily integrate into the
IDE
– ISVs can use NetBeans to develop own tools and solutions
1
www.siemens-mobile.com

1
www.gentleware.com

1
www.gentleware.com

www.refactorit.com

1
 Developer Ressources Portal
http://forte.sun.com
● Product Support
– FAQs, Knowledge Base,
Newsgroups, Bug Fixes,
Docs, Fee Based Support,
Web Based Training
● Community Participation
– Newsgroups, Early Access
Program, Chats, Contribute
Content, Advisory Council,
Newsletter
● Java programming support
● Submit and review bugs
● Download patches and modules

1
 JSP Debugging - HTTP Monitor

• Source level debugging

• Integrated with Web
Containers (Tomcat/iWS)
• HTTP Monitor records /
plays back web requests
1
Sun ONE Studio Update Service

● Powerful Web-based Service for Developers

– Wizard in the IDE
– Patches
– Module Updates
– New Modules

Join the Early Access Program at

http://forte.sun.com/eap/ 1
Sun ONE Studio
● Sun ONE Studio, Mobile Edition
– Development of CLDC/MIDP Applications
– UEI Support for Integration of Emulators

● One IDE Toolset for Java and C/C++/Fortran

– Debugging across Java and C/C++ Applications
– Native Connector Tool: Automatic Generation of Java Classes
accessing C/C++/Fortran Functions
● Sun ONE Support
– XSLT Plug-In Module for Sun ONE Integration Server
– Plug-In Module of Sun ONE Application Framework
1
Plug In Module for Connector Builder and Portlet Builder
Sun ONE Studio 4, Enterprise Edition

• Full J2EE 1.3 Support

– EJB 2.0 (MDB)
– JSP 1.2, Servlets 2.3
– Java Connector Architecture (JCA)

• Web Services Support

• J2EE 1.3 Application Server Support
• Windows NT, 2000 and XP, Solaris 8 and 9,
Red Hat Linux 7.2a
1
 Application Server Integration
● Plugging Modules for:
● J2EE Reference
Implementation 1.3.1
● Sun ONE Application
Server 7
● Tomcat 4.0
● Oracle 9i Application
Server
● BEA WebLogic 6.1 & 7
● Open source Application
Server Integration API 1
Sun ONE Studio 4, Enterprise Edition

1
Sun ONE Application Framework

1
 S1AF – Key Features
Pure J2EE JAVA
•

Evolving graphical tools.

•

Enterprise strength Web Application Development

•

Powerful Component usage methodology

•

Well defined Models (and Custom models)

•

Multiple Rendering (same business logic)

•

Events (application level, page level and field level)

•

Web Services using JAX RPC (requiring no developer

•

code) 1
S1Af Architecture

1
 S1AF – Architecture
• VIEWS – Provides developers a client agnostic, hierarchical
representation of the model data. Enabling multiple rendering
specifications to reuse common presentation logic, ensuring great
structure and flexibility.

• COMPONENTS - “Out of the box” visual components such as

Button, Check Box, Combo Box, etc. are available as well as 3rd
party add-on components .

• MODELS - Common interface for using any Enterprise

resource.
● Web Service resources
● Database resources
● UIF (Enterprise Connectors) resources
1
● J2EE Connector Architecture resources
Sun ONE Studio and S1AF

1
Sun ONE Studio and S1AF

1
Useful URLs

• Www.sun.com/software/sundev
• www.netbeans.org
• forte.sun.com
• java.sun.com
• wireless.java.sun.com
• wwws.sun.com

1
Sun ONE Portal Server

1
Portal Computing Is the Solution
Data No Matter Securely Aggregated Targeted
Where It Resides and Personalized Communities

Employee
Enterprise, Legacy, &
Business Intelligence
3rd Party Data and
Information Feeds Supplier
Communication &
Collaboration

Web pages & links Partner

Process Automation
Services

Customer

1
 Identity Enabled Portal Platform
Data No Matter Securely Aggregated Targeted Any Device
Where It Resides and Personalized Communities

Enterprise, Legacy &

Business Intelligence Employee

3rd Party Data and

Information Feeds

Supplier
Communication &
Collaboration

Web Pages & Links

Partner

Process Automation
Servcies Authentication
Mechanism
Identity Identity
Attributes Functions Customer
1
Sun ONE Portal Server
& Identity Management
Sun ONE Personalization Increases Security
Portal Server ● Central control decreases
Portal inconsistencies
● Finer-grained policy
enforcement
Reduces Costs
● Less duplication; common
Sun ONE Identity Server
infrastructure
Delegated Administration ● Integrated, one product
Directory ● IT efficiencies
Web Single
Identity Sign-On Flexible Usage &
Credentials Deployment
Roles & Groups ● Single sign-on
Preferences ● Delegated administration
Policies & Profiles ● Portal installation includes
Identity Server
Centralized ● Multiple portals and
Access Control applications leverage common1
infrastructure
 Sun ONE Portal Server Product Line
ce ss c ess
teAc le Ac Q2CY03
o Secure Access to: bi Any Device Access
e
m
Re Intranet File Servers, Legacy Apps Mo
ur Groupware Connectivity
Sec Internal Web Apps VoiceXML, WAP 2.0/WAP Push
User Desktops J2ME Device & Sync Support

Sun ONE Portal Server

Identity & Policy Management Web Services and
Development Tools
Personalization Aggregation & Presentation
Search Security

Sun ONE Identity Server

Sun ONE Directory Server
Sun ONE Web/Application Server
1
Portal Server Architecture
Sun ONE Portal Server
Portal Server Services

Desktop (JSP and Template) Rewriter

Search &
Display Template Indexing
Providers NetMail
Profiles Manager

Sun ONE Identity Server

Policy Services Admin Services
Sun One
Directory
Java Development Kit, JAXP, JSS Server

Sun ONE Web Server

Installer
Use of Multi-Roles and Groups
AXA Financial – BtoC and BtoB Portals

Challenge
● Improve customer and partner
interactions while gaining
efficiencies and cost savings
Solution
● Sun ONE Portal Server
(Business to Business and
Consumer Portals)
Benefits
● Platform reusability reduces
time-to-market, lowers
deployment costs
● Lower transaction costs
1
A Single Portal Infrastructure
Serving Multiple Communities
State of New Jersey -- Government Portal
Challenge
● Address the demands of citizens,
employees, other government
agencies and NJ-based
businesses
Solution
● Create multiple portals using
Sun ONE Portal Server as
common infrastructure
Benefits
● The State of NJ realizes
efficiences and cost savings
while creating happy portal users
enabling them to live and work 1
better in the state of New Jersey
 Aggregation & Presentation

Delivers integrated
content, applications,
and services through
customizable portlets.

Aggregated
content &
services

1
 Personalization
● Tab-based grouping of
content specified by portal
users
● User defined
personalization and
preferences capability
● User Context and
personalization via
Standards-Based Identity
for unified profiles and
policy management
● Administrators control the
customization options,
down to
portlet-level 1
 Security
● Support for multiple Authentication Methods
authentication types Windows NT domains
UNIX log-n
● Single Sign On X.509 certificates
LDAP
Sun ONE Portal Server
● Access control RADIUS
SafeWord
● Policy CrytoCard
Java Card
enforcement SmartCard

● Identity
management

1
 Secure Web-Based Access
VPN-on-Demand
Secure B2B and B2E
Web-based access solution
Integrated identity
management

Same
authentication Leverage existing
and authorization corporate resources
as on the Intranet via the portal

Low cost solution

with increased ROI
End user ease of use
and familiarity without
additional training
Ease of administration
and maintanence
1
 Benefits of Secure
Web-Based Access
● Easy and cost-effective
– Simplifies IT administration and maintenance overhead
– Zero client footprint and Zero 'leave behind'

● Pre-packaged, embedded components

– Installs as a complete environment (i.e., Directory, Admin, Policy, ...)
– No integration required!

● Standards-based solution without compromise

– Open Java API for channel, authentication, session, policy, profile, logging
– Commitment to Industry Standards

● Universal access
– Delivers on the promise of the Internet for anytime, anywhere access to key
applications and services 1
 How Does It Work?
Gateway
● Delivers encrypted access to data, applications and files securely using
the policy-based authentication and access control mechanism of the
Sun ONE Portal Server

Netlet (Patented technology!)

● Provides Web, NT, Unix and Mainframe Applications that are either
pushed to the client as HTML Web pages or presented as Java applets
that are downloaded dynamically

Netfile
● File access
client provides access to most popular file
systems, NT and Unix

Rewriter
● Enables intranet access to HTML, XML,
WML, Javascript and CSS content to remote
client devices (i.e., similar to a Proxy Server) 1
Sun ONE Identity Server

1
Sun ONE Identity Server

“A comprehensive solution for

managing identity and enforcing access
to services. It tightly integrates the Sun
ONE Directory Server with policy and
user management to simplify the
administration of users and to provide a
single identity across a range of web
and application servers.”
 Identity Server Benefits

● Provides consistent
security policies
Customers Suppliers Employees Partners
across the network

● Supports centralized
Identity
authentication and Management
authorization

● Provides complete
identity lifecycle Communication E-business Enterprise Vertical
management Applications Applications Applications Applications
Solution: Identity Management
Sun ONE Identity Management
Framework
Directory Server Identity Server

LDAP Repository Access Management/User Management

Performance, Scalability Web SSO, Authentication, Audit/Logging
High Availability, Replication Delegated Admin, User Self-Reg/ Self-Mgmnt
UDDI Private Registry Federated Identity (Liberty)

Directory Proxy Certificate Server

LDAP Proxy PKCS standards compliance

Fail Over, Load Balancing Registration/Certification Authority
Schema Mapping, Client Routing Bulk Enrollment, FIPS compliance

Meta Directory

Synchronization, Consolidation
Join, Identity Provisioning
Identity Management Framework Deployment

Identity Server Certificate Server

Web Proxy Web/App Servers

LDAP Proxy Meta-Directory
Directory
Server

HR/Database/NOS
Firewall Firewall

Sun ONE Identity Framework

Identity Management Framework
Benefits
● Increases Security
 Centralized policy allows a single point of access enforcement
 All access is logged to single point for use w/ audit or intrusion detection tools
 Enables stronger security by allowing the use of digital certificates, token cards,
smart cards, etc for all protected applications and resources
● Reduces costs
 Web single sign-on (SSO) enables major IT cost savings and user efficiencies
 User self-service and delegated account administration reduces IT help desk costs
 Centralized admin of users, policies, and services

● Increase operational efficiencies

 One button account management can create, maintain, and delete accounts from a
single point across all services
 Keeps information synchronized across multiple data sources (e.g. Windows
accounts, mail accounts, HR systems
Identity Management ROI

● Average user spends 16 minutes/day being authenticated. At a

10,000-user company, this costs 2,666 employee hours per day.
Any time savings will product productivity gains.
● On average, user-management takes 63% longer than
necessary. This delay results in lost revenue, reduced
communications, and lost productivity.
● Respondents predicted that time savings from the centralization
and consolidation of user database management would be more
than 1,200 hours a year. Managing users, user databases,
authentication, and access control would result in an estimated
54,180 hours per year. Even a 25% improvement in efficiency in
this case would result in a savings of more than 13,500 hours.
● Security is improved by offering a more exact match between the
accounts and rights assigned to individuals and the rights
needed by the business.
Survey by META Group Oct 2002
Identity Server Positioning
● Identity Management solution for Intranets & Extranets
 Component of S1 Portal Server, will be a component of Messaging,
Calendar, and other Sun ONE product in 2003
 Public APIs for easy integration by ISVs, OEMs, and customers
 Provides Federated Identity (via Liberty)

● Provides Access Management (AAA)

 Web SSO, Authentication, Authorization, Audit/Logging

● Provides common Admin GUI for Users, Access

Management, Services
 Centralized/Delegated Admin, User Self-Registration, User Self-
Management
Project Liberty Organization
● The Liberty Project is a business alliance formed to
deliver and support a Federated Identity solution for
the Internet
 Open – Specifications created by its members
 Universal SSO
 Affiliated services and programs

● Liberty membership includes:

 Financial, banking, travel, airlines, telecom carriers, ISPs,
wireless/mobile operators, device manufacturers, technology
vendors
 17 founders, 26 sponsors, over 2 billion identities represented
 Membership is open to affiliates non-profit government, public, or
standards groups
Secure Network Identity:
Project Liberty
Your choice:
Financial Svcs
(1) Trust Microsoft with Customer
Community
everything, or
Online Wireless
(2) Choose who you trust, Community Community
when you trust them, and
what you trust them to
Retail
know: Project Liberty Telecommunications
Community
Community

Project Liberty: Partnership Online Payment

Community Community
of 100+ companies,
representing more than one
billion online identities,
driving open, federated
identity standards. 1
More on the Liberty Alliance:

www.projectliberty.org 1
Liberty Specification
● 1.0 (July 15, 2002)
 Identity Federation / Federation Termination
 Name Registration – way to implement Federation that may
speed performance (2 way index)
 Single Sign-On
 Single Sign-Off (Global Logout)

● 2.0 (Summer 2003)

 Attribute exchange (profile data exchange)
 Services Framework – way to find where a user has services
available when there is a centralized Identity Provider, and
multiple Service Providers
Java vs .NET

1
The purpose of this debate
Question: Why are we having this
debate?

1
Sun's purpose
z We want to help you build open systems
z We want to demonstrate how the JavaTM
Community and J2EETM technology give you
choice
z We want to show you how to build services
deployable today on any server platform,
available from any client or device

1
Opposing Strategies
z Sun's strategy: Define open standards for JavaTM,
XML, and Internet protocols with community, then
compete on implementation
● Maximizes your choice in development tools and
deployment environments
● Choice reduces your technical and business risk
z Microsoft's strategy: Corrupt standards with
proprietary .NET lock-ins, bombard the market
with tools supporting their lock-ins, then call .NET
“open” because some (but not all) of its
components are based upon standards
1
Microsoft's Notion of Choice

Which version of
Windows and
Internet Explorer
will you choose?

Screenshot: .NET Framework download using Windows Update 1

What you should do
z Listen carefully to the debate, and to
your “gut”.
z Don't wait for MS to lock you in when
.NET server finally ships someday.
z Choose to use the Java™ Platform and
widely deployed J2EE™ technology
today to build scalable, secure, cost
effective systems.

1
What is the Java™ Platform?
z The Java Platform includes:
● Java Virtual Machine, core APIs, and related
technologies defined by the Java Community in
J2EETM, J2SETM, and J2METM specs.
● Related API and technology specifications defined via
the Java Community Process (JCP)
z Focus on JavaTM APIs as well as
implementations and tools from Sun, partners,
and the Java Community

1
 TM
What is the Java Community?
z More than 650 individuals and companies from

around the world constitute the Java

Community (http://jcp.org/participation/members/)
z They use the Java Community Process (JCP) to
define new Java technology standards
● 200+ Java Specification Requests (JSRs) to date,
and counting (http://jcp.org/jsr/all/)
● Majority of JSRs (55%) aren't led by Sun
z Apache, JCP, and Sun coordination insures that
the open source community can implement
JSRs (http://jcp.org/procedures/jcp2 and
http://jakarta.apache.org/site/jspa-agreement.html) 1
 TM
The Java Community: Strength in
Numbers
● Java programmers:
● 2.5 million, as of 2001 (source: Gartner)

● Prediction of 4 million by 2003 (source: IDC)

● Java in universities:
● 78% teach Java, 50% require it (source: TMC)

● Java usage is expected to grow 29.4% in 2003

alone (source: IDC Worldwide Developer Model, via
http://www.devx.com/judgingjava/articles/skills/ )

1
 TM TM
The Java Community: J2EE &
TM
J2SE Executive Committee
● Apache (ASF)
● Apple ● IBM
● BEA Systems ● IONA Technologies
● Borland ● Doug Lea
● Caldera Systems ● Macromedia
● Cisco Systems ● Nokia
● Fujitsu Limited ● Oracle
● Sun Microsystems
● Hewlett Packard

* Term, representatives, and other details from:

http://jcp.org/participation/committee
1
 TMJ
J2EE Technology: Available
Everywhere You Need It
• OSes with J2EE implementations include:
Solaris, Linux, Win32, zOS, OS/390, MacOS,
HP-UX, Compaq Tru64, Compaq OpenVMS,
AIX (source:
http://java.sun.com/jdc/technicalArticles/J2EE/deployathon3)

• 38 J2EE licensees with 16 J2EE 1.3 and 21

J2EE 1.2 implementations tested compliant
(sources: http://java.sun.com/j2ee/compatibility.html and
http://java.sun.com/j2ee/licensees.html)

• J2EE app server market share: >90% (source:

"Server showdown between J2EE and .NET", Wireless Week, 15 April 2002)
1
.NET Products: Definitely .NOT
Standards Based
• .NET is a set of Microsoft products.
• CLI and C# may be ECMA standards, but:
● Other, major parts of .NET have not been standardized
(ASP.NET, ADO.NET, Winforms/ Webforms, Managed
services of CLR, etc.)
• Microsoft guarantees no real competition is
possible, and your risks are maximized.

1
The Java™ Platform Enables
Choice, and Choice is Good!
z If Sun™ ONE products meet your needs, great.
z If not, mix and match our products with others'
J2EETM implementations as needed
● We even link to others' implementations (see:
http://java.sun.com/j2ee/licensees.html)
z If your needs change, change the bits to meet
them!
z Learn more:
http://java.sun.com/j2ee

http://www.sun.com/sunone
1
Sun™ ONE and Standards
• The SunTM ONE stack is based upon open
standards at every level:
● Programming model: The Java™ Platform
(J2EE™, J2SE™, J2ME™)
● Business class Web services: Enabled via
ebXML
● Simple Web services: WSDL/UDDI/SOAP
● Unix operating system and Internet networking
technologies
● Project Liberty network identity and SSO
1
The Microsoft .NET Trap
"Microsoft's offering, for example, in each they
said 'When you pick this product, you also have
to pick our operating system.'"

"The fact that we were locked in, if we made a

Microsoft solution, to an all-Microsoft
environment – not only now but in the future –
was scary."

Larry Singer, CIO of the State of Georgia, interviewed by

eWeek in "Sun's the ONE for Georgia Portal", 26 March
2002 www.eweek.com 1
Web Services Adoption Phases
● 1st Phase – Simple Web Services (Now)
● Consumer-focused, stateless, SOAP over HTTP/S
● 2nd Phase – EAI Web Services (Begun)
● Deployed within organization boundaries to
enable internal integration
● 3rd Phase – Business Web Services (2004?)
● Deployed on extranets to enable business
transactions with trading partners, suppliers,
and customers, ebXML & UBL

1
Sun's Focus is on Business Web
Services
TM
● J2EE
● Service implementation platform standard
● ebXML and UBL
● Business web services standards
● More than 16 vendors and several open source
projects support ebXML
● ex) Australian gas industry uses ebXML NOW!
● Liberty Project
● Identity system standard 1
Our Approach to Web Services
Standards
● We believe any standard should be
developed
● Through open and inclusive process
● And must be
● Royalty-Free (RF) license
● Agree on Standards and compete in
Implementation
● This is what JCP is all about
1
The Security Problem
Exponential growth of the Internet has lead to
exponential increase in security incidents (now
thousands yearly)
zAttacks by worms and viruses cost $17.1 billion
USD worldwide in 2000
zCode Red, a Windows IIS worm, caused $2.62

billion USD damage in 2001

zLatest FBI/CSI Computer Crime Survey:

$455.8 billion USD lost in the last year, up 367%

over the last four years
Sources: Investor's Business Daily (10 December 2001)
1
and www.gocsi.com
Sun's Security Principles
z Security must be addressed in all of your
systems and services, with mutually
reinforcing, independent, layered security
controls
z Security must be integral with system design,
not an afterthought
z Security must be built in, not bolted on

1
Sun Security in Practice:
Designed in from the Beginning
• Sun holds secure computing as a core
competency
• We design for security in depth, from
hardware to OS to container to client
● Trusted Solaris, Solaris at EAL3 since 1995 and
EAL4 as of Solaris 8 in 2000, fundamental Java
security baked in
• Sun security resources:
http://www.sun.com/security http://java.sun.com/security
1
Microsoft: 24 Years to Realize
Security is Important

"We didn't just fall off the turnip truck a

year ago and realize we needed to do
this... We started thinking about this
three years ago."

Craig Mundie, Chief Technical Officer, Senior Vice

President, and head of Microsoft's “Trusted Computing”
initiative, on why Microsoft waited 24 years to care about
security, 13 November 2002
http://www.wired.com/news/technology/0,1282,56381,00.html 1
Microsoft's Security Record
• IIS so bad, Gartner urges switching from
Microsoft IIS to Sun™ ONE Web Server or
Apache (details, and how to switch:
developer.chilisoft.com/whitepapers/SCASP_wp_iisswap.pdf)

• 52,000 viruses afflicting Microsoft

DOS/Windows, as opposed to 5 for
Unix/Linux (as of 22 May 2000, source:
www.oreillynet.com/pub/a/network/2000/05/22/security.html)

• Microsoft shipped NIMDA worm on their

Visual Studio.NET CDs! (source:
www.newsfactor.com/perl/story/18242.html)
1
 Microsoft's Security Record
• .NET isn't even released yet, and ASP.NET is
already broken (MS Security Bulletin “Unchecked buffer
in ASP.NET”: www.microsoft.com/technet/security/bulletin/MS02-
026.asp)

• C# permits “unsafe” operations (labeled as such),

sacrificing all language based safety
• .NET permits a mixture of managed and
unmanaged code
● Imagine the damage unmanaged code can do

1
"Microsoft" and "Security",
in the same sentence?
• Security is about consistent behavior
• .NET hasn't been around long enough to have
a record in the real world (internal
development does not count), but so far things
don't look good
• Microsoft's security record (or lack thereof)
speaks for itself: Why expect anything
different from .NET?

1
Microsoft: Breaking Your
Software to Fix Their Mistakes
"We're going to tell people that even if
(it) means we're going to break some of
your apps, we're going to make these
things more secure. You're just going to
have to go back and fix it."
Craig Mundie, Chief Technical Officer, Senior Vice
President, and head of Microsoft's “Trusted Computing”
initiative, on why Microsoft's years of ignoring security
issues in their products are your problem, 13 November 2002
http://www.wired.com/news/technology/0,1282,56381,00.html 1
"Microsoft" and "Security",
in the same sentence?
"I can't tell if the Gates memo represents a real
change in Microsoft, or just another marketing
tactic. Microsoft has made so many empty
claims about their security processes – and the
security of their processes – that when I hear
another one I can't help believing it's more of
the same flim-flam."
Bruce Schneier, Founder and CTO of Counterpane
Internet Security, world reknowned security expert, and
author of the best selling "Applied Cryptography" ,
commenting on Bill Gates' infamous January 2002 memo
http://www.counterpane.com/crypto-gram-0202.html#1
1
Palladium: DRM By Any Other
Name...
"Large media corporations, together with
computer companies such as Microsoft and
Intel, are planning to make your computer
obey them instead of you,” he wrote.
“Proprietary programs have included
malicious features before, but this plan would
make it universal."
Richard Stallman, founder of FSF and co-founder of the
GNU project, on Microsoft's plans for Trusted Computing
and Palladium, which he refers to as “treacherous computing”
http://news.com.com/2102-1001-964628.html 1
.NET Wireless Strategy:
Everywhere Windows
z Microsoft doesn't understand heterogeneity:
"The strategy behind the compact framework is to
deliver XML-based Web Services to next-generation,
'smart' mobile devices running on... Microsoft's
Pocket PC and the upcoming Smartphone 2002."

"Microsoft Launches .NET Mobile Platform", by

Jay Wrolstad, Wireless NewsFactor, 17 April 2002
www.wirelessnewsfactor.com
z Worse still, industry support is non-existent
z Their biggest supporter, Sendo, abandoned
Smartphone for Nokia/J2ME instead:
http://www.theregister.co.uk/content/54/28000.html 1
J2ME™ Executive Committee
• BEA Systems
• Palm
• Cisco Systems
• Philips
• Ericsson
• Research In Motion
• IBM
• Siemens
• Insignia
• Sony
• Matsushita (Panasonic)
• Sun Microsystems
• Motorola
• Texas Instruments
• Nokia
• Zucotto Wireless
* Term, representatives, and other details from:
http://jcp.org/participation/committee
1
The J2ME™ Platform:
By the Numbers
• More than 50 Java-enabled handset models
(JavaOne, March 2002)
• 22 to 25 million Java technology enabled
phones deployed as of May 2002
• 60% of all data-phones will be Java-
enabled by 2003 (Arc group, October
2001)
• 120+ commercial J2ME licensees 1
Develop : Price Flexibility
● Low Cost Tools: NetBeans
● Sun ● Compuware
● Toshiba ● Siemens
● Mercury Interactive ● Sitraka
● Other Tools: Eclipse, jDeveloper, JBuilder
● Valuable Infrastructure: Ant, Struts,
Xerces, Apache SOAP
● Choose the price of your tools based upon
needs!
1
Deploy : Price Flexibility
• Low cost servers: JBoss, JRun, Oracle9iAS, Sun
ONE Application Server:
● General Electric (see below)
● Boeing
● Dow Jones
• Apache/Tomcat: too many to count!
Consider how General Electric is really driving
down development and deployment costs!
http://servlet.java.sun.com/javaone/sf2002/conf/sessions/display-1078.en-96938.jsp

1
Cost to Deploy
● Choose OS and Hardware
● Solaris, Linux, Windows
● Infrastructure costs falling
● Oracle9i Application Server
● Sun ONE Application Server
● JBoss is significant

1
Cost to Maintain
● Portable language and platform.
● http://developer.java.sun.com/developer/technicalArticles/J2EE/deployathon3

● Consider SAP savings

● Productivity of JavaTM/J2EETM
• Training / Porting
● Significant reduction in (re) training costs

1
Cost – Risk
● .NET is fully shipping when?
● What bugs will happen in CLR?
● Security?
● J2EETM is stable proven and mature
● JDK: 1.1, 1.2, 1.3,1.4,1.4.1
● J2EE: 1.2, 1.3, 1.4
● IBM WebSphere: 3.0, 3.5, 3.51, 4.0
● BEA: 3.0,4.0,5.x,6.x,7.x

1
.NET : Deploy/Maintain
● Hidden costs
● Microsoft funding lots (most) activity in
enterprise so it is hard to tell what
development costs are so far.
● Server sprawl 1 app one server=>lots of
machines to manage
● Support contracts are very often
independently negotiated

1
Deploy : Hidden Costs

1
 Coolest Thing

True innovation !
(from SmartCard to Mainframe and beyond)

1
Innovation
● JavaCard
● Secure Identity
● Ubiquitous network access
● Smart Card configures the “service” on behalf of
the user
● 260+ Million cards already shipped
● Smart Card is 5 years old

1
Innovation:Networking
● JiniTM
● Spontaneous Networking
● Network Plug and Work
● Services on Demand
● Self Healing Networks
● JXTATM
● Collaboration
● Messaging on steroids!
1
Innovation: Participation!
● Anyone can learn JavaTM/J2EETM
● Anyone can :
● Examine Java/J2EE
● Influence Java/J2EE
● Implement Java/J2EE
● Make money from Java/J2EE
● Millions have learned Java
● Google keyword java = 33,400,000 hits
● Google keyword J2EE = 945,000 hits
1
Innovation: Participation!
● With JavaTM/J2EETM you can:
● Program smartcards to supercomputers
● Copy and share with minimal restriction

1
Freedom: Right to innovate
JavaTM/J2EETM allows companies other than
Microsoft the right and the ability to innovate!

Quick examples:
● Apache Software Foundation
● JBoss
● BEA

1
Truth about Mixed Language
Environment of .NET
• You have to use Microsoft specific extensions or
cannot use certain features of the language in order
to run it in .NET
● It is not ANSI standard C++, COBOL, for example
• Mixed code could be hard to maintain
• Mixed code could be hard to share and
communicate best practices
• Steep learning curve from VB to VB.NET and C#:
Why not try Java programming language instead?
1
Java PetStore the real story!
● Sun creates Java Pet Store as an example of
Multi-tier java/J2EETM design
● MicroSoft creates a brand new application
Stored procedures => SQL Sever only
Built from ground up (no portability here)
Designed for a purpose.
● Oracle tinkers with SQL in Java Pet Store and
runs much faster than the MicroSoft client
server app
1
Java PetStore the real story!
Examples of the 21 things Oracle changed in
Java Pet Store 1.1.2 to blow away M$'s client-
server app.
●InventoryEJB modified to eliminate
unnecessary ejbStore() operations
●InventoryEJB modified to eliminate
unnecessary calls to dao.load()
● CatalogDAOImpl.java
● Some debugging in String handling
1
J2EE scales 400%better than .NET

1
The latest chapter in the fairy tale

• Microsoft (significantly) funds TMC company

to run an exercise again with Java PetStore
tutorial code
(the old version)

Can you guess what it showed?...

1
Spot the problems
● TMC have apologized for a flawed exercise.
http://www.middlewarecompany.com/j2eedotnetbench/message.shtml

● Testing or marketing ?
● JPS is not a benchmark!
● No run rules
● No peer review
● Hard to see any customer benefit
●Very little disclosure (compare with
SPECjAppServer)
●No expert tuning for J2EE but
1
Mi ft i it
Spot the problems
Some more technical insights:
● LOC comparison just wrong, worse it is misleading
http://www.ejbsig.de/docs/PetShopArchitecture.html
●.NET code not even object oriented!
●Pricing is wrong and extremely limited

●JDK version ?

1.4 much faster than 1.3

●

●Database tuning - no details?

●Dubious hardware selection

●No detailed disclosure

●No vendors gave permission to use their software

.....I could continue.

1
Still there was some value

This exercise shows just how portable J2EE

applications are as TMC company tested JPS
across 2 application servers apparently without
code change!

1
Java PetStore : conclusion
● Use industry standard benchmarks
● Beware Microsoft will use lots of influence to
slow down the rate of adoption of Java and
J2EE or anything else they don't like.

1
Jeff Bounds
jeff.bounds@sun.com
Systems Engineer
Sun Microsystems, Inc.