aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes A mock question about common architecture Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "A mock question about common architecture" Watch "A mock question about common architecture" New topic
Author

A mock question about common architecture

James Du
Ranch Hand

Joined: Mar 23, 2001
Posts: 186
Hi, friends
I find such a question in a mock exam

What are the benefits of a three-tier J2EE application achitecuture?

1)Saclability
2)Manageability
3)Security
4)Availability


My answer is 1) and 4), but the right answer is 1), 4) and 3)

I've ever read this:

What is end-to-end security? In a multitier system, each tier should have its own security and work in tandem with the other tiers. Designing security where different systems and middleware come together is quite a challenge. Simply put, system security is only as strong as the weakest link and, unless you consider security from an end-to-end viewpoint, it is subject to being broken.


I think it means that the more tiers a system involved, the weaker the system is likely to be.

At least, I cant see any benefits of a three-tier architecture as compared with the 2-tier architeture in terms of Security.


What do you think?
Thanks
[ February 25, 2005: Message edited by: James Du ]
Gustavo Dutra
Greenhorn

Joined: Jan 26, 2005
Posts: 22
Hi James,

look at this site:

http://java.sun.com/j2ee/sdk_1.2.1/techdocs/guides/j2ee-overview/Introduction.fm.html


Gustavo
James Du
Ranch Hand

Joined: Mar 23, 2001
Posts: 186
Thinks, Gustavo

I read the article but can yet find the answer.
James Du
Ranch Hand

Joined: Mar 23, 2001
Posts: 186
Thinks, Gustavo

I read the article but can yet find the answer.

The question is worded as
What are the benefits of a three-tier J2EE application architecture?


What kind of architecture should we take as the reference, when we talk about the J2EE application architecture? traditional client/server system, or 2-tier J2ee application model?

If we emphasize 3-tier, then I cant see that 3-tier is more secure than the 2-tier one. if we emphasize J2EE application architecture, there's such a phrase in the article

The J2EE application model defines an architecture for implementing services as multi-tier applications that avoid these problems and deliver the scalability, accessibility, and manageability that is needed.


It seems that option 2 is also right. What do you think?

Thanks
James
[ February 25, 2005: Message edited by: James Du ]
Gustavo Dutra
Greenhorn

Joined: Jan 26, 2005
Posts: 22
Well James,

I think we will discover the answer together...


What kind of architecture should we take as the reference, when we talk about the J2EE application architecture? traditional client/server system, or 2-tier J2ee application model?


I think n-tier(5 is a good number )
is the appropriate reference, 3-tier is the minimum, you
can break the middle tier (presentation,business and integration).

There is an article that enumerate the tiers:
1.web-client
2.presentation
3.business
4.integration
5.resource


Scalability

If the middle tier is separate (3-tier approach) you can make a cluster of computers to increase, you can make a cluster on the web or application server.

Availability
Availability is the same about scalabity, but it depends a lot on the configuration of the balance to work properly


Security
You have security on the web container and on the ejb container, either declarative and progrmmatic...

Manageability

cade says on his book:

Manageability is the ability to manage the system to ensure the continued health of a system with respect to scalability, reliability, availability, performance, and security. Manageability deals with system monitoring of the QoS requirements and the ability to change the system configuration to improve the QoS dynamically without changing the system. Your architecture must have the ability to monitor the system and allow for dynamic system configuration.


I think manageability is true.... it is transparent for your "Business Logic", "Presentation Logic" and "Controller" if there is a cluster or if there is a replication, this is a container responsability .

Let start a discussion....

[ ]s

Gustavo
Arfoo Huang
Ranch Hand

Joined: Jul 30, 2002
Posts: 31
Security: because you have more control on security in 3-tier app than in 2-tier, also reduce direct connetion from the client to the db server, etc.

3-tier's manageability decreased because you have more components/configurations to take care of. J2EE improves 3-tier's manageability (but not 2-tier's manageability).
Yong How, Lim
Ranch Hand

Joined: Feb 22, 2005
Posts: 52
Hi James,

I think Gustavo is right, J2EE security model is definitely better than a traditional client/server security model.

First of all, J2EE has different security domains, thus, breaking into one does not automatically gives the intruder access to the rest of the domains (that cannot be true for the client/server)

Secondly, Denial Of Service is a real security threat, and J2EE by the virtual of have more tier is more resilient to that. (Of course, a good firewall can help alot)

Lastly, security setting can be done at J2EE containers, thus providing
another additional layer of security which the server administrator can fine-tune (whereas client/server can only be done programmatically)

Just 2 cents worth, HTH.

Regards,
Yong How, Lim
SCEA, SCJD, SCJA


Regards,<br /> Yong How, Lim<br /> SCEA, SCBCD, SCWCD, SCJD, SCJP, LPIC-1
James Du
Ranch Hand

Joined: Mar 23, 2001
Posts: 186
Thanks.

Hi, Gustavo, I think in traditional C/S architecture, we can design and implement any level of security which is suitable for the system requirements. The J2EE architecture just makes this a BASIC service which can be used directly by the developers, free them of redeveloping them from the scratch, in this regard, J2EE do provide some benefits. As for the LEVEL of the security, I think we can build a more secure system with C/S model than that of J2EE since there's no limitations of any contract to follow.


Hi, Yong How Lim

First of all, J2EE has different security domains, thus, breaking into one does not automatically gives the intruder access to the rest of the domains (that cannot be true for the client/server)


for this, could you give a concreate example?
and for this,

Secondly, Denial Of Service is a real security threat, and J2EE by the virtual of have more tier is more resilient to that. (Of course, a good firewall can help alot)


Why more tiers means a natural resilience of Denial Of Service?

Thanks
Yong How, Lim
Ranch Hand

Joined: Feb 22, 2005
Posts: 52
Security Domain :
http://www.awprofessional.com/articles/article.asp?p=102095&seqNum=3

also read this for DDOS :
http://news.zdnet.co.uk/internet/ecommerce/0,39020372,39166155,00.htm

My advise is for you to read the "Enterprise JavaBeans" of Richard Monson-Haefel.
 
Consider Paul's rocket mass heater.
 
subject: A mock question about common architecture