IT Arkitektur og Sikkerhed

Præsentationer af emnet: "IT Arkitektur og Sikkerhed"— Præsentationens transcript:

1 IT Arkitektur og Sikkerhed
IT Arkitektur og Sikkerhed IT Arkitektur

2 Sidste uge Sidste uge gennemgik vi Introduktion til computere OS RAID
SAN NAS

3 Dagsorden I denne uge gennemgår vi Hvad er IT Arkitektur? LDAP og NOS
Applikationsservere Tynde/Tykke klienter Server baseret processering N-lags modeller Middleware

4 Næste uge I næste uge gennemgår vi Enterprise Arkitektur Zachman TOGAF

5 IT Arkitektur Hvad betyder Arkitektur?
A formal description of a system, or a detailed plan of the system at component level to guide its implementation. The structure of components, their interrelationships, and the principles and guidelines governing their design and evolution over time.

6 IT Arkitektur Hvordan definerer vi så IT Arkitektur
Business architecture: this defines the business strategy, governance, organisation, and key business processes. Data/information architecture: this describes the structure of an organization's logical and physical data assets and data management resources. Application (systems) architecture: this kind of architecture provides a blueprint for the individual application systems to be deployed, their interactions, and their relationships to the core business processes of the organization. Information Technology (IT) architecture: the software infrastructure intended to support the deployment of core, mission-critical applications. This type of software is sometimes referred to as "middleware", and the architecture as a "technical architecture".

7 Directory Services Grundlæggende er en directory service en netværksbaseret applikation der indeholder information om netværksbrugere, netværksressourcer og. lign. En telefonbog er et meget godt eksempel. Hvad er typisk forskellen på en directory og en database? Er optimeret for mange læsninger og for avancerede søgninger Er duplikeret og replikeret Er en hierarkisk træ struktur Der er grundlæggende tre typer directory services: NOS directories (AD, Novell eDirectory) Applikations directories (ePost, SAP, og. lign.) Generelle directories (Almindelig opslag, de hvide sider) A directory service is a software application — or a set of applications — that stores and organizes information about a computer network's users and network resources, and that allows network administrators to manage users' access to the resources. Additionally, directory services act as an abstraction layer between users and shared resources. Like a database, a directory service is highly optimized for reads and provides advanced search on the many different attributes that can be associated with objects in a directory. The data that is stored in the directory is defined by an extendible and modifiable schema. Directory services use a distributed model for storing their information and that information is usually replicated between directory servers.

8 LDAP LDAP står for Lightweigth Directory Access Protocol og er en protokol til at snakke med directory services LDAP er baseret på X.500. X.500 er Directory Model i OSI. DAP (Directory Access protocol) kører over OSI netværksprotokollen og er meget kompleks og tung. Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services running over TCP/IP. X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup. DAP (Directory Access Protocol) DSP (Directory System Protocol) DISP (Directory Information Shadowing Protocol) DOP (Directory Operational Bindings Management Protocol)

9 LDAP Der findes et hav af LDAP Directory implementeringer:
LDAP Der findes et hav af LDAP Directory implementeringer: Microsoft Active Directory and ADAM Computer Associates eTrust Directory 8 IBM Tivoli Directory Server 5.x Nexor Directory 5.1 Novell eDirectory 8.7.x Oracle Internet Directory v 10g Sun Microsystems Sun ONE Directory Server 5.2 9

10 LDAP forespørgsel Sådan kunne en typisk LDAP forespørgsel se ud:
LDAP forespørgsel Sådan kunne en typisk LDAP forespørgsel se ud: # ldapsearch ”sn=Strand” cn telephoneNumber Svar: cn=Michael Strand, ou=managers, O=netcompany, c=dk telephoneNumber= An entry can look like this when represented in LDIF format (LDAP itself is a binary protocol): dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: telephoneNumber: mail: manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

11 Objekt træ Data er repræsenteret i directory services som hierarki af objekter Toppen af hierarkiet kaldes normalt for ”root” Hvert objekt (kaldes også ”entry”) har en parent entry, og en eller flere child entries Hver entry består af en ObjectClass Hver ObjectClass består af nul eller flere attributer The protocol accesses LDAP directories, which follow the 1993 edition of the X.500 model: * A directory is a tree of directory entries. * An entry consists of a set of attributes. * An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema (see below). * Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN) constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as a full filename and the RDN as a relative filename in a folder.

12 Data Information Tree DIT

13 Data Information Tree DIT
Alle objekter har et unikt navn, kaldet en DN (Distinguished Name) som er opbygget af relative navne kaldet RDNs (Relative Distinguished Names) som findes ved at ”vandre træet”

14 LDAP operationer LDAP understøtter en række forskellige operationer
Binding og Unbinding Search efter objekter der opfylder søge kriterier Add objekt Delete objekt Modify objekt Modify DN eller RDN (Move) Compare objekter Start TLS - optionally protect the connection with Transport Layer Security (TLS), to have a more secure connection Bind - authenticate and specify LDAP protocol version Search - search for and/or retrieve directory entries Compare - test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify DN - move or rename an entry Abandon - abort a previous request Extended Operation - generic operation used to define other operations Unbind - close the connection (not the inverse of Bind)

15 Active Directory Microsoft Active Directory (AD) er et såkaldt NOS struktureret som et LDAP directory. AD indeholder information om objekter og deres attributter; såsom brugere, ressourcer (objekter) og services. AD bruges til at give netværksadgang, og tilladelser til ressourcer og -services, samt som generelt opslagsværk. Har været tilgængeligt siden Windows 2000 server Supporterer LDAP v2 og v3 standarderne Active Directory is an implementation of LDAP directory services by Microsoft for use in Windows environments. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects. Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a simple user service. Due to its small resource requirements, multiple ADAM instances are able to run on the same server. The API is identical to that of a full-blown Active Directory implementation, so developers do not need to learn new skills to utilize it. Active Directory and ADAM share the same code base, so performance of ADAM is nearly identical to Active Directory when comparing like operations.

16 Informationer i AD AD organiserer netværks objekter og deres attributer: Attributter First Name Last Name Logon Name Printer Name Printer Location Active Directory Printers Printer1 Printer2 Susan hansen Users Per sorensen Attribut værdi Objekter Printere Brugere Printer3 Active Directory is a directory service used to store information about the network resources across a domain. An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories — resources (e.g. printers), services (e.g. ), and users (accounts, or users and groups). The AD provides information on the objects, organizes the objects, controls access, and sets security. Each object represents a single entity — whether a user, a computer, a printer, an application, or a shared data source—and its attributes. Objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object can contain—defined by a schema, which also determines the kind of objects that can be stored in the AD. Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of AD objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of AD itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated — not deleted. Changing the schema usually requires a fair amount of planning

17 Hvorfor er det smart? Så kan man styre brugere, ressourcer, og services på netværk centralt og give relevant adgang fra brugere til ressourcer og services. AD supports UNC (\), URL (/), and LDAP URL names for object access. AD internally uses the LDAP version of the X.500 naming structure. Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the OU Marketing and the domain foo.org, would have the DN: CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is domain object class, DNs can have many more than four parts. The object can also have a Canonical name, essentially the DN in reverse, without identifiers, and using slashes: foo.org/Marketing/HPLaser3. To identify the object within its container the Relative distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication. Certain objects also have a User principal name (UPN), an name form.

18 Central Management Active Directory: Search
OU1 Domain Computers Users OU2 Printers Computer1 User1 Printer1 User2 Search Active Directory: En administrator kan centralt styre objekter Administratorer kan nemt finde information Administratorer kan logisk gruppere objekter i OU'er The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name. The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the structure of the AD's company in organizational or geographical terms. OUs can contain OUs - indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft recommends as few domains as possible in AD and a reliance on OUs to produce structure and improve the implementation of policies and administration.

19 Delegeret Management Domain OU1 Admin1 OU2 Admin2 OU3 Admin3
The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well

20 Domæne (Domain) Et domain er en administrativ grænse i et AD.
Domæne (Domain) Et domain er en administrativ grænse i et AD. Med det menes at et domain har separate brugere, sikkerhedspolitik, tillid til andre domains og lign. Et domain vil typisk modsvare et DNS navn og kunne for eksempel være: dr.dk Domain styres fra en domain controller (DC) Der er mindst en per domain Indeholder en replika af AD, og synkronisere med andre DCs Physically the AD information is held on one or more equal peer domain controllers (DCs). Each DC holds a single domain partition and a read-and-write copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined in to AD, which are not domain controllers, are called Member Servers. As a further subdivision AD supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g. WAN, VPN) and high-speed (e.g. LAN) connections. Sites can contain one or more domains and domains can contain one or more sites. This is important to control network traffic generated by replication and to refer clients to the nearest domain controllers. AD replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are less frequent and do not use change notification, although this is configurable and can be made identical to intrasite replication. A different 'cost' can be given to each link (e.g. DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication between domain controllers may occur transitively through several site links on same-protocol site link bridges, if the 'cost' is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site.

21 Domæne Træ (Domain Tree)
Domæne Træ (Domain Tree) Domains er typisk logisk organiseret i en træ struktur. De enkelte domains identificeres med deres DNS navn. The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name.

22 DNS og AD DNS host record og Active Directory object repræsenterer samme fysiske computer DNS tillader computere at finde objecter i AD “.” dk. Active Directory telia Traning.telia.dk Builtin Computers Computer1 Computer2 salg traning computer1 Physically the AD information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC format (although there is a 'more equal' flexible single master operation (FSMO) server for some operations, which can simulate a PDC). Each DC holds a single domain partition and a read-and-write copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined in to AD, which are not domain controllers, are called Member Servers. Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IP — indeed DNS is required. To be fully functional, the DNS server must support SRV resource records or service records. An SRV record or Service record is a category of data in the Internet Domain Name System specifying information on available services. It is defined in RFC Newer internet protocols such as SIP and XMPP often require SRV support from clients. Client implementations of older protocols (e.g. LDAP, SMTP) may have SRV support added to it. FQDN = computer1.traning.telia.dk Windows 2000 Computer Name = Computer1

23 Skov (Forest) Skov Træ Træ En skov er et eller flere træer
Skov (Forest) En skov er et eller flere træer Træer i en skov vil ikke tilhører samme DNS sti telia.dk Skov orange.dk cph.telia.dk Træ aarhus.orange.dk kbh.orange.dk The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name. As a further subdivision AD supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g. WAN, VPN) and high-speed (e.g. LAN) connections. Sites can contain one or more domains and domains can contain one or more sites. This is important to control network traffic generated by replication and to refer clients to the nearest domain controllers. The actual division of the company's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business, by geographical location, or by IT roles. These models are also often used in combination, but Microsoft recommends that OUs be structured to facilitate administrative delegation and group policy application. Træ

24 Tillid (Trust) Trust tillader brugere fra et domain, at få adgang til objekter i et andet domain. AD opererer med fire typer Trusts Enkelt domains Master domains Multiple-master domains Multiple trust To allow users in one domain to access resources in another, AD uses trust. Trust is automatically produced when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit trust is automatic. As well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains. AD uses the Kerberos V5 protocol. Simply speaking, AD uses trust to allow users in one domain to have access to resources in another domain. The AD trust has a two way trust with its parent. The root of every tree has a two way trust with the Forest Root domain. As a result, every domain in the forest, either explicitly or implicitly, trusts every other domain in the forest. These default trusts cannot be deleted. Trust relationship is a description of the user access between two domains consisting of a one way and a two way trust. * One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. * '''Two way trust''' - When two domains allow access to users on the other domain. * Trusting domain - The domain that allows access to users on another domain. * Trusted domain - The domain that is trusted; whose users have access to the trusting domain. * Transitive trust - A trust that can extend beyond two domains to other trusted domains in the tree. * Intransitive trust - A one way trust that does not extend beyond two domains. * Explicit trust - A trust that an admin creates. It is not transitive and is one way only. * Cross link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains.

25 Gruppe politik (Group Policy)
Gruppe politik (Group Policy) objekter bruges til at kontrollere andre objekter; herunder registry, NTFS sikkerhed, audit- og sikkerhedspolitik, software installation, logon/logoff scripts, folder og IE konfigurationer. Gruppe politik kan tilføjes domains, OU m.m. Men tilføjes typisk til OU. Gruppe politikken er gemt i en Group Policy Objekt (GPO) The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well. Group policy can control a target object's registry, NTFS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs). A GPO is internally referenced by a Globally Unique Identifier (GUID). Each one may be linked to multiple sites, domains or organizational units. In this way, potentially thousands of machines or users can be updated via a simple change to a single GPO. This reduces the administrative burden and costs associated with managing these resources. User and computer objects may only exist once in the Active Directory but often fall into the scope of several GPOs. The user or computer object applies each applicable GPO. Conflicts between GPOs are resolved at a per attribute level. Group Policies are analysed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically, the period ranging from minutes and controlled by a configurable parameter of the Group Policy settings.

26 Pause

27 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed I stort set alle danske virksomheder vil I møde følgende serverroller: DHCP DHCP serveren uddeler IP adresser + andre ting efter behov En pr. subnet Alle miljøer The Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateway, and other IP parameters. The assignment occurs when the DHCP-configured machine boots up or regains connectivity to the network. The DHCP client sends out a query requesting a response from a DHCP server on the locally attached network. The query is typically initiated immediately after booting up and before the client initiates any IP based communication with other hosts. The DHCP server then replies to the client with its assigned IP address, subnet mask, DNS server and default gateway information. The assignment of the IP address generally expires after a predetermined period of time, at which point the DHCP client and server renegotiate a new IP address from the server's predefined pool of addresses. Typical intervals range from one hour to several months, and can, if desired, be set to infinite (never expire). The length of time the address is available to the device it was assigned to is called a lease, and is determined by the server. In a multi-domain forest the AD database becomes partitioned. That is, each domain maintains a list of only those objects that belong in that domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. Global catalog (GC) servers are used to provide a global listing of all objects in the Forest. The Global catalog is held on domain controllers configured as global catalog servers. Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.

28 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed Fil og Print Central fildeling Central Printeropsætning Alle miljøer Intern og Ekstern DNS Hvorfor begge dele? Stort set alle miljøer Mail server Er en mail server en maskine?

29 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed Database server Central server Måske cluster Oftest ”Don’t touch” Oracle, MySQL eller SQLServer typisk Stort set alle miljøer ERP system Lige så central Helt sikkert også ”Don’t touch” Concorde, Navision, PeopleSoft, Oracle, SAP

30 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed RIS server (Remote Installation Server) Bruges til unattended OS installation af klienter/servere typisk via PXE Boot Kan være Altiris, IBM eller MS Oftest i miljøer med +50 PC’er Overvågningsserver Overvågning af maskiner og services i miljøet Typisk IBM Tivoli, HP OpenView, CA Unicenter eller MS MOM

31 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed Software Distribution Distribution af softwarepakker til klienter og servere Oftest i miljøer med +200 PC’er SMS, Altiris, Tivoli, SUS/WSUS??? WWW Web server Stort set alle miljøer IIS, Apache

32 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed Firewall Kan enten være en ”sort boks” eller en software firewall Beskytter virksomheden mod angreb udefra Cisco PIX, CheckPoint og Microsoft ISA server Mange hjemmeroutere tilbyder FW funktionalitet Alle steder VPN Server Giver remote adgang til virksomheden Lader folk logge på hjemmefra, som sad de i virksomheden Cisco 3000 VPN, Microsoft RRAS (ISA), Nortel + 40 brugere

33 Typiske serverroller i en virksomhed
Typiske serverroller i en virksomhed Terminal Server… Giver ”terminal adgang” til udvalgte maskiner/applikationer X11, IBM Mainframes (3270), Citrix, MS Terminal Server, MS Remote Desktop Bringer os videre til ”Server Based Computing”

34 DMZ DMZ er en forkortelse af DeMilitarized Zone, ingenmandsland.
De fleste organisationer på nettet har et vist behov for at servicere WWW, DNS, FTP, og lignende tjenester.

35 Server baseret processering
Server baseret processering Idéen bag Server Based Computing er grundlæggende at intelligensen ligger på serversiden, hvor vi nemmere kan styre den Klienter skal være så dumme og tynde så muligt

36 Server baseret processering
Server baseret processering Applikationer eksekverer altid på server Applikationen tilgås fra en normal desktop eller en tynd klient Det er kun skærmbilleder, musetryk og tastaturtryk, der går over netværket Appliaktionen eksekverer 100% på server

37 Citrix arkitektur

38 Citrix klient krav Ved Server Based Computing er der stort set ingen krav til klienten. F.eks. supporterer Citrix i dag blandt andet: Symbion, Alle Windows platforme, Linux, BSD, HPUX, Solaris, PalmOS, AIX + mere general purpose Java klienter Virkelig lav ”footprint” og typisk under 2 MB Krav til båndbredde er ca: Citrix 20 kbps MS Terminal Server 128 kbps kbps X11 1 mbps

39 Mere Citrix Man kan publicere applikationer gennemsigtigt for brugere
Mere Citrix Man kan publicere applikationer gennemsigtigt for brugere Redirecte links Mappe printere automatisk Mappe lokale drev Lave loadbalancing mellem servere i ”farm” Isolere applikationer Rent praktisk: installer W2K3, installer applikationer, installer Terminal Server, installer Citrix

40 Klient/Server applikationsmodel
Klient/server arkitekturen er et populært design for distribuerede applikationer. I klient/server modellen er applikationerne opdelt i to dele. Klient delen fungerer i forgrunden ved at præsentere information for brugeren Server delen fungerer i baggrunden og manipulerer og behandler data for klienten. Ved en sådan opdeling opnås en række fordele f.eks. kan arbejdstunge opgaver løses af server computeren, der normalt er kraftigere end klient computeren. Endvidere kan server computeren servicere flere klienter samtidig. Klient(er) server Klient Server Klient

41 3-lags applikationsmodel
Applikations distribuering over flere lag; Præsentation/web; Applikationsslogik; Data; flere lag. Præsentation/web Applikationsslogik Data Klient Server Klient Klient

42 3-lags applikationsmodel
Fordele Skalerbarhed horisontalt og vertikalt Tilgængelighed og performance Sikkerhed på flere niveauer Gængse problemstillinger Load balancing Sessionshåndtering (”sticky sessioner”) Isolering af Fejl

43 J2EE applikationsramme
J2EE (Java 2 Enterprise Edition) er flere lags, komponentbaseret applikationsmodel En SUN-specifikation - et teknisk dokument, der detaljeret beskriver J2EE-platformen og dens API'er En SUN-referenceimplementation, der fungerer dels som proof-of-concept i forhold til specifikationen, og dels som et supplement til specifikationen (er der tvivl om platformens opførsel i et givent tilfælde, gælder referenceimplementationens opførsel som specifikation) Et værktøj, der tester kompatabilitet af en forelagt serverplatform med J2EE-specifikationen (via en række test cases) En række "J2EE blueprints" - principper for og tips til fornuftig applikationsudvikling på J2EE-platformen Implementeringer: BEA WebLogic, IBM WebSphere, Red Hat JBOSS

44 J2EE applikationsramme
Applikationslogik er defineret i komponenter En J2EE applikation er sammensat af komponenter såsom servlets, JSP, enterprise beans. De forskellige komponenter kan afvikles på forskellige maskiner Arkitekturen søger også at løse tværgående problemer ("cross-cutting concerns") som sikkerhed, transaktionsunderstøttelse og samtidighed ved at realisere det såkalte "component/container"-princip: Komponenters offentligt udstillede services tilgås kun indirekte gennem en container (en applikation, der indkapsler komponenten), som så kan håndtere CCC-problemerne

45 Java J2EE er nederst bygget på Java
Java er et objektorienteret tredjegenerations-programmeringssprog inspireret af C++. Sproget er udviklet af Sun. Java var oprindeligt døbt Oak, men dette navn havde et andet firma allerede taget patent på. Herefter faldt navnet på Java. Java kører på en virtuel maskine (JVM) beregnet (men ikke begrænset) til at køre programmer skrevet i programmeringssproget Java. Programmeringssproget Java er blandt andet kendetegnet ved at et program skrevet i Java kan afvikles på enhver platform, hvis der findes en passende JVM. Som programudvikler skal man derfor ikke bekymre sig om slutbrugerens maskinel og programmel. Mens et Javaprogram udføres, sørger den virtuelle maskine selv for at fjerne unødvendige objekter, som optager plads i maskinens arbejdshukommelse (garbage collection) Som programmør skal man dog holde styr på andre ressourcer som f.eks. filer.

46 Microsoft .NET applikationsramme
Microsoft .NET applikationsramme består af et Common Lanuage Runtime (CLR) og et samlet sæt af klassebiblioteker. En .NET compiler er ansvarlig for at kompilere dine programmer til MS Intermediate Language (MSIL), der er halvkompilereret kode med referencer til de anvendte klasser. Denne process gør det muligt at skrive .NET programmer i et vilkårligt antal sprog, der senere kan kompileres, eksekveres og håndteres af CLRet. Dette har bl.a. betydet at .NET applikationer ikke bare udvikles i MS sprog (C#, VB.Net eller MC++), men at der findes 30+ sprog, fx Delphi .NET fra Borland. Derudover består Microsoft .NET af ASP.net ADO.net M.fl.

47 Opgaver