My preference for the server-side of web applications is Java (or Javascript in the JVM). In the past that meant I needed to allow for running a Java web server (like Tomcat or Jetty) behind IIS. For many applications it made sense for IIS to be the front-end web server. Most desktops were (and are) using Internet Explorer as a web browser, and used Microsoft’s security scheme. This meant using integrated Windows authentication which eliminates a lot of explicit logins, and was a lot more practical in most cases. Originally the only way to use Windows authentication was to use IE and IIS in combination, as the protocol was proprietary and undocumented by Microsoft.

For a long time we were pretty much locked to running Java code somehow behind IIS.

Since then the Samba folk have decoded the once-secret Windows authentication protocol, and provide an usable implementation in Java (JCIFS). The implementation was first available a few years back, but as with most new software the first few versions tended to be troublesome (to varying degrees) when deployed. A bit too risky for a product installed on hundreds of unique company intra-nets.

At the same time, Microsoft continues to make changes to IIS. Seems that every new version of IIS causes existing web applications (deployed on or behind IIS) to break in new and interesting (not!) ways, and more often than not at a customer site rather than in development testing. Microsoft has good reasons for continuing to improve IIS, but those same “improvements” are a continuing source of grief for both development and our customers.

Would sure be nice to get off the IIS upgrade (not-so-merry) merry-go-round…

Another constraint was the chance that the customer might want to install other web applications on the same server box. Those other intra-net applications were likely to require IIS.

On recent reflection - I am not sure that the once-required solution still makes as much sense.

  • The non-Microsoft implementations of NTLM authentication seem a lot more reliable.
  • Cheap/powerful hardware and widespread use for virtual machines (VMware and the like) means each web application is most likely on it’s own individual machine (virtual or not).
  • New and future versions of IIS are pretty much guaranteed to cause future grief.
  • Pure Java-based solutions can be run on non-Windows platforms.

Ditching IIS would sure make my (professional) life easier…