It will create a debate. There is no satisfying answer, it differs from person to person based on requirements and platform.
Ref:
http://simpleprogrammer.com/2010/02/12/c-vs-java-part-3-the-frameworks-network-reflection-security-text/[
^]
Security
Both C# and Java frameworks are vast in areas of security. Unfortunately, both are fairly complex and difficult to use or understand. Couple this complexity with the changing demands of security and theories about security, spread across multiple platforms and deployment situations, and you get a mess.
Both choices have similar functionality in cryptography. Both use provider models for authentication and support a wide variety of authentication services, including user defined services. Both allow for role based security through a provider model.
The differences are what you would expect considering the language and framework targets. C# and .NET are better equipped in a Windows environment and allow very easy use of windows authentication schemes and active directory. Java is more flexible, allowing easier interoperability with multiple operating systems and authentication methods, but at the cost of a slightly more complex and burdensome API. C# and .NET allow the usage of Code Access Security (CAS), which is a very complex concept that basically allows individual level rights to be applied to sections of code controlled from the machine configuration. Unfortunately, this turned out to be overly complex and something that almost no one used correctly. For that reason Microsoft is getting rid of the concept of CAS in .NET framework 4.0.
I really don’t like either choice for Security at this point. Both are confusing, and there is no clear-cut best practices for applying security to the application. I think both frameworks have a way to go to make security something that is very easy to implement and understand. We will probably see a large amount of churn in this area, because of the changing needs of security, as we transition from a primarily web based application model to this mixed model, using applications that are able to run outside of the browser but start their life inside, and hybrid systems utilizing both.
Or just
google[
^] it.