The Full Wiki

Java applet: Wikis

Advertisements
  

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

From Wikipedia, the free encyclopedia

Java applet that was created as a supplementary demonstration material of the scientific publication.[1] and is available from the university site
Java applet that uses 3D hardware acceleration, downloading from the server 3D files in .pdb format to visualize[2]
Using applet for non trivial animation illustrating biophysical topic (randomly moving ions pass through voltage gates)[3]
Using Java applet for computation - intensive visualization of the Mandelbrot set[4]
Sufficient running speed is also utilized in applets for playing non trivial computer games like chess[5]
NASA World Wind (open source) is a second generation applet [6] that heavily uses OpenGL and on-demand data downloading to provide detailed 3D map of the world.
Web access to the server console at the hardware level with the help of java applet

A Java applet is an applet delivered to the users in the form of Java bytecode. Java applets can run in a Web browser using a Java Virtual Machine (JVM), or in Sun's AppletViewer, a stand-alone tool for testing applets. Java applets were introduced in the first version of the Java language in 1995. Java applets are usually written in the Java programming language but they can also be written in other languages that compile to Java bytecode such as Jython,[7] Ruby,[8] or Eiffel.[9]

Applets are used to provide interactive features to web applications that cannot be provided by HTML alone. They can capture mouse input (like rotating 3D object) and also have controls like buttons or check boxes. In response to the user action an applet can change the provided graphic content. This makes applets well suitable for demonstration, visualization and teaching. There are online applet collections for studying various subjects, from differential equations[10] to heart physiology.[3] Applets are also used to create online game collections that allow players to compete against live opponents in real-time.

An applet can also be a text area only, providing, for instance, a cross platform command-line interface to some remote system.[11] If needed, an applet can leave the dedicated area and run as a separate window. However, applets have very little control over web page content outside the applet dedicated area, so they are less useful for improving the site appearance in general (while applets like news tickers[12] or WYSIWYG editors[13] are also known). Applets can also play media in formats that are not natively supported by the browser[14]

Java applets run at a speed that is comparable to (but generally slower than) other compiled languages such as C++, but many times faster than JavaScript.[15] In addition they can use 3D hardware acceleration that is available from Java. This makes applets well suited for non trivial, computation intensive visualizations.

HTML pages may embed parameters that are passed to the applet. Hence the same applet may appear differently depending on the parameters that were passed. The first implementations involved downloading an applet class by class. While classes are small files, there are frequently a lot of them, so applets got a reputation as slow loading components. However, since jars were introduced, an applet is usually delivered as a single file that has a size of the bigger image (hundreds of kilobytes to several megabytes).

Since Java's bytecode is platform independent, Java applets can be executed by browsers for many platforms, including Windows, Unix, Mac OS and Linux. It is also trivial to run a Java applet as an application with very little extra code. This has the advantage of running a Java applet in offline mode without the need for any Internet browser software and also directly from the development IDE.

Many Java developers, blogs and magazines are recommending that the Java Web Start technology be used in place of Applets.[16][17]

A Java Servlet is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets.

Contents

Technical information

Java applets are executed in a sandbox by most web browsers, preventing them from accessing local data like clipboard or file system. The code of the applet is downloaded from a web server and the browser either embeds the applet into a web page or opens a new window showing the applet's user interface.

A Java applet extends the class java.applet.Applet, or in the case of a Swing applet, javax.swing.JApplet. The class must override methods from the applet class to set up a user interface inside itself (Applet is a descendant of Panel which is a descendant of Container. As applet inherits from container, it has largely the same user interface possibilities as an ordinary Java application, including regions with user specific visualization.

The domain from where the applet executable has been downloaded is the only domain to that the usual (unsigned) applet is allowed to communicate. This domain can be different from the domain where the surrounding html document is hosted.

Java system libraries and runtimes are backwards compatible, allowing to write code that runs both on current and on future versions of java virtual machine.

Embedding into web page

The applet can be displayed on the web page by making use of the deprecated applet HTML element,[18] or the recommended object element.[19] A non standard embed element can be used[20] with Mozilla family browsers. This specifies the applet's source and location. Object and embed tags can also download and install Java virtual machine (if required) or at least led to the plugin page. Applet and object tags also support loading of the serialized applets that start in some particular (rather than initial) state. Tags also specify the message that shows up in place of the applet if the browser cannot run it due any reason.

However despite object is officially a recommended tag, as of 2010, the support of object tag was not yet consistent among browsers and Sun kept recommending the older applet tag for deploying in multibrowser environment,[20] as it remained the only tag consistently supported by the most popular browsers. To support multiple browsers, object tag currently requires JavaScript (that recognizes browser and adjusts the tag), usage of additional browser specific tags or delivering adapted output from the server side.

Simple examples

Advertisements

A basic example using the java.applet package

The following example is made simple enough to illustrate the essential use of Java applets through its java.applet package. It also uses classes from the Java Abstract Window Toolkit (AWT) for producing actual output (in this case, the "Hello, world!" message).

import java.applet.Applet;
import java.awt.*;
 
// Applet code for the "Hello, world!" example.
// This should be saved in a file named as "HelloWorld.java".
public class HelloWorld extends Applet {
  // This method is mandatory, but can be empty (i.e., have no actual code).
  public void init() { }
 
  // This method is mandatory, but can be empty.
  public void stop() { }
 
  // Print a message on the screen (x=20, y=10).
  public void paint(Graphics g) {
    g.drawString("Hello, world!", 20,10);
  }
}

For compilation, this code is saved on a plain-ASCII file with the same name as the class and .java extension, i.e. HelloWorld.java. The resulting HelloWorld.class applet should be installed on the web server and is invoked within an HTML page by using an <APPLET> or a <SCRIPT> tag. For example:

<!DOCTYPE HTML PUBLIC 
  "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<HTML>
<HEAD>
<TITLE>HelloWorld_example.html</TITLE>
</HEAD>
<BODY>
<H1>A Java applet example</H1>
<P>Here it is: <APPLET code="HelloWorld.class" WIDTH="200" HEIGHT="40">
This is where HelloWorld.class runs.</APPLET></P>
</BODY>
</HTML>

Displaying the HelloWorld_example.html page from a Web server, the result should look as this:

A Java applet example

Here it is: Hello, world!

To minimize download time, applets are usually delivered in a form of compressed zip archive (having jar extension). If all needed classes (only one in our case) are placed in compressed archive example.jar, the embedding code would look differently:

<P>Here it is: <APPLET code="HelloWorld" WIDTH="200" HEIGHT="40" ARCHIVE="example.jar">
This is where HelloWorld.class runs.</APPLET></P>

Applet inclusion is described in detailed in [21]

Advantages

A Java applet can have any or all of the following advantages:

  • It is simple to make it work on Linux, Windows and Mac OS i.e. to make it cross platform. Applets are supported by most web browsers
  • The same applet can work on "all" installed versions of Java at the same time, rather than just the latest plug-in version only. However, if an applet requires a later version of the JRE the client will be forced to wait during the large download.
  • Most web browsers cache applets, so will be quick to load when returning to a web page. Applets also improve with use: after a first applet is run, the JVM is already running and starts quickly (JVM will need to restart each time the browser starts fresh).
  • It can move the work from the server to the client, making a web solution more scalable with the number of users/clients
  • If standalone program (like Google Earth) talks to the web server, that server normally needs to support also previous versions as the user may not keep it always updated. Differently, the browser updates the applet so there is no need to support the legacy versions. Only due configuration mistakes the applet may get stuck in the cache and have issues when new versions come out.
  • The applet naturally supports the changing user state like figure positions on the chessboard.
  • Developers can develop and debug an applet direct simply by creating a main routine (either in the applet's class or in a separate class) and call init() and start() on the applet, thus allowing for development in their favorite J2SE development environment. All one has to do after that is re-test the applet in the appletviewer program or a web browser to ensure it conforms to security restrictions.
  • An untrusted applet has no access to the local machine and can only access the server it came from. This makes such applet much safer to run than standalone executable that it could replace. However signed applet can have full access to the machine it is running on if the user agrees.

Disadvantages

A Java applet may have any of the following disadvantages:

  • It requires the Java plug-in.
  • Some organizations only allow software installed by the administrators. As a result, some users can only view applets that are important enough to contact the administrator asking to install the Java plug-in.
  • As with any client side scripting, security restrictions may make difficult or even impossible for untrusted applet to achieve the desired goals.
  • Some applets require a specific JRE. This is discouraged [22].
  • If applet requires newer or specific JRE than available on the system, the user running it first time will need to wait for the large JRE download to complete.
  • Java automatic installation or update may fail if proxy is used to access the web. This makes applet with specific requirements impossible to run unless Java is manually updated. Java automatic updater that is part of Java installation also may be complex to configure if it must work through proxy.
  • Unlike the older applet tag, the object tag needs workarounds to write a cross-browser HTML.

Compatibility related lawsuits

Sun has made a considerable effort to ensure compatibility is maintained between Java versions as they evolve, enforcing Java portability by law if required.

The 1997 Sun - Microsoft lawsuit

The 1997 lawsuit [23] was filed after Microsoft modified its own Java Virtual Machine which shipped with Internet Explorer. Microsoft added about 50 methods and 50 fields[23] into the classes within the java.awt, java.lang, and java.io packages. Other modifications included removal of RMI capability and replacement of Java native interface from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and for a limited time[24]

The 2002 Sun - Microsoft lawsuit

Microsoft continued to ship its own unmodified Java virtual machine. Over years it has become extremely outdated yet still default for Internet Explorer. In 2002 Sun filed an antitrust lawsuit, claiming that Microsoft's attempts at illegal monopolization have harmed the Java platform. Sun demanded Microsoft distribute Sun's current, binary implementation of Java technology as part of Windows, distribute it as a recommended update for older Microsoft desktop operating systems and stop the distribution of Microsoft's Virtual Machine (as its licensing time, agreed in the previous lawsuit, had expired).[24] Microsoft paid $700 million for pending antitrust issues, another $900 million for patent issues and a $350 million royalty fee to use Sun's software in the future.[25][26]

Applet security

There are two applet types with very different security model: signed applets and unsigned applets.[27]

Unsigned applet

Limitations for the unsigned applets are understood as "draconian":[28] they have no access to the local filesystem, web access limited to the applet download site, there are also many other important restrictions. For instance, they cannot access system properties, use their own class loader, call native code, execute external commands on a local system or redefine classes belonging to the certain packages. While they can run in standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as access controller checks all stack of the calling code to be sure the call is not coming from improper location. Several specific security problems have been discovered and fixed since Java was first released, and some like [29] even persisted as long as till 2008 without anybody being aware. Some studies mention applets crashing browser or overusing CPU resources but these are classified as nuisances[30] and not as true security flaws. However unsigned applets may be involved into combined attack that exploit combination of multiple severe configuration errors in other parts of the system.[31] Unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DOS attack on the server where it is hosted but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain.[32]

As of 1999 no real security breaches involving unsigned applets have ever been publicly reported, while these references are now dated.[30][33] Using an up-to-date Web browser is usually enough to be safe against the known attacks from unsigned applets.

Signed applet

Signed applet[34] contains a signature that the browser should verify through remotely running, independent certificate authority server. Producing this signature involves specialized tools and interaction with the authority server maintainers. Once the signature is verified and then the user of the current machine also approves, signed applet can get more rights, becoming equivalent to the ordinary standalone program. The rationale is that the author of the applet is now known and will be responsible for any deliberate damage. This approach allows to use applets for many tasks that are otherwise not possible by client side scripting. However this approach requires more responsibility from the user, deciding whom he/she is trusting. The related concerns include a non-responsive authority server, wrong evaluation of the signer identity when issuing certificates, and known applet publishers still doing something that the user would not approve of. Hence signed applets that appeared from Java 1.1 may actually have more security concerns.

Java security problems are not fundamentally different from similar problems of any client side scripting platform. In particular, all issues related to the signed applets also apply to Active X.

Alternatives

Alternative technologies exist (for example, JavaScript, Curl, Flash, and Microsoft Silverlight) that satisfy some of the scope of what is possible with an applet. Of these, JavaScript is not always viewed as a competing replacement; JavaScript can coexist with applets in the same page, assist in launching applets (for instance, in separate frame or providing platform workarounds) and later be called from the applet code.[35]

See also

References

  1. ^ World of Fungi - page of the scientific project, serving an applet that is used as an illustration figure
  2. ^ The home site of the 3D protein viewer (Openastexviewer) under LGPL
  3. ^ a b The virtual hearth
  4. ^ The home site of the Mandelbrot set applet under GPL
  5. ^ The home site of the chess applet under BSD
  6. ^ Java.Sun.com
  7. ^ Jython applet page
  8. ^ About Java applets in Ruby
  9. ^ At tool to produce Java applets with SmartEiffel
  10. ^ The d'Arbeloff Interactive Math Project
  11. ^ Jraft.com
  12. ^ ObjectPlanet.com, an applet that works as news ticker
  13. ^ Sferyx.com, a company that produces applets acting as WYSWYG editor.
  14. ^ Cortado applet to play ogg format
  15. ^ An example of the 2005 year performance benchmarking
  16. ^ JavaWorld.com
  17. ^ JavaChannel.net
  18. ^ W3.org
  19. ^ W3.org
  20. ^ a b Sun's position on applet and object tags
  21. ^ Suns official page about the APPLET tag. Java.Sun.com
  22. ^ Oracle notes on Java versioning
  23. ^ a b 1997 year Sun-Microsoft lawsuit in JavaWorld
  24. ^ a b Sun's page, devoted for the lawsuits against Microsoft
  25. ^ Sun - Microsoft 2002 lawsuit
  26. ^ Microsoft page devoted to the Sun - Microsoft 2002 lawsuit
  27. ^ Sun's explanation about applet security
  28. ^ Java Security FAQ Applet Security Restrictions by Mark Wutka
  29. ^ Description of Calendar serialization security bug
  30. ^ a b Java Security FAQ
  31. ^ Avirubin.com
  32. ^ Strategy.Wikimedia.org, Proposal with discussion about Java applets in community sites
  33. ^ ~ G.McGraw, E.W. Felten. Securing Java. ISBN 047131952X
  34. ^ Informit.com
  35. ^ Rgagnon.com, calling JavaScript from Java applet

External links


File:Java
Java applet that was created as a supplementary demonstration material of the scientific publication.[1] and is available from the university site

[[File:|thumb|Java applet that uses 3D hardware acceleration, downloading from the server 3D files in .pdb format to visualize[2]]]

File:Cardiac cells
Using applet for non trivial animation illustrating biophysical topic (randomly moving ions pass through voltage gates)[3]
File:Mandelbrot java
Using Java applet for computation - intensive visualization of the Mandelbrot set[4]

[[File:|thumb|Sufficient running speed is also utilized in applets for playing non trivial computer games like chess[5]]]

File:NASA World
NASA World Wind (open source) is a second generation applet [6] that makes heavy use of OpenGL and on-demand data downloading to provide a detailed 3D map of the world.

[[File:|thumb|Web access to the server console at the hardware level with the help of a Java applet]] A Java applet is an applet delivered to the users in the form of Java bytecode. Java applets can run in a Web browser using a Java Virtual Machine (JVM), or in Sun's AppletViewer, a stand-alone tool for testing applets. Java applets were introduced in the first version of the Java language in 1995. Java applets are usually written in the Java programming language but they can also be written in other languages that compile to Java bytecode such as Jython,[7] JRuby,[8] or Eiffel (via SmartEiffel).[9]

Applets are used to provide interactive features to web applications that cannot be provided by HTML alone. They can capture mouse input (like rotating 3D object) and also have controls like buttons or check boxes. In response to the user action an applet can change the provided graphic content. This makes applets well suitable for demonstration, visualization and teaching. There are online applet collections for studying various subjects, from physics[10] to heart physiology.[3] Applets are also used to create online game collections that allow players to compete against live opponents in real-time.

An applet can also be a text area only, providing, for instance, a cross platform command-line interface to some remote system.[11] If needed, an applet can leave the dedicated area and run as a separate window. However, applets have very little control over web page content outside the applet dedicated area, so they are less useful for improving the site appearance in general (while applets like news tickers[12] or WYSIWYG editors[13] are also known). Applets can also play media in formats that are not natively supported by the browser[14]

Java applets run at a speed that is comparable to (but generally slower than) other compiled languages such as C++, but many times faster than JavaScript.[15] In addition they can use 3D hardware acceleration that is available from Java. This makes applets well suited for non trivial, computation intensive visualizations.

HTML pages may embed parameters that are passed to the applet. Hence the same applet may appear differently depending on the parameters that were passed. The first implementations involved downloading an applet class by class. While classes are small files, there are frequently a lot of them, so applets got a reputation as slow loading components. However, since jars were introduced, an applet is usually delivered as a single file that has a size of the bigger image (hundreds of kilobytes to several megabytes).

Since Java's bytecode is platform independent, Java applets can be executed by browsers for many platforms, including Microsoft Windows, Unix, Mac OS and Linux. It is also trivial to run a Java applet as an application with very little extra code. This has the advantage of running a Java applet in offline mode without the need for any Internet browser software and also directly from the development IDE.

Many Java developers, blogs and magazines are recommending that the Java Web Start technology be used in place of Applets.[16][17]

A Java Servlet is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets.

Contents

Technical information

Java applets are executed in a sandbox by most web browsers, preventing them from accessing local data like clipboard or file system. The code of the applet is downloaded from a web server and the browser either embeds the applet into a web page or opens a new window showing the applet's user interface.

A Java applet extends the class java.applet.Applet, or in the case of a Swing applet, javax.swing.JApplet. The class must override methods from the applet class to set up a user interface inside itself (Applet is a descendant of Panel which is a descendant of Container. As applet inherits from container, it has largely the same user interface possibilities as an ordinary Java application, including regions with user specific visualization.

The domain from where the applet executable has been downloaded is the only domain to which the usual (unsigned) applet is allowed to communicate. This domain can be different from the domain where the surrounding HTML document is hosted.

Java system libraries and runtimes are backwards compatible, allowing to write code that runs both on current and on future versions of the Java virtual machine.

Embedding into web page

The applet can be displayed on the web page by making use of the deprecated applet HTML element,[18] or the recommended object element.[19] A non standard embed element can be used[20] with Mozilla family browsers. This specifies the applet's source and location. Object and embed tags can also download and install Java virtual machine (if required) or at least lead to the plugin page. Applet and object tags also support loading of the serialized applets that start in some particular (rather than initial) state. Tags also specify the message that shows up in place of the applet if the browser cannot run it due any reason.

However, despite object being officially a recommended tag, as of 2010, the support of the object tag was not yet consistent among browsers and Sun kept recommending the older applet tag for deploying in multibrowser environments,[20] as it remained the only tag consistently supported by the most popular browsers. To support multiple browsers, the object tag currently requires JavaScript (that recognizes the browser and adjusts the tag), usage of additional browser-specific tags or delivering adapted output from the server side. Deprecating applet tag has been criticised.[21] Oracle now provides a maintained JavaScript code [22] to launch applets with cross platform workarounds.

Simple examples

A basic example using the java.applet package

The following example is made simple enough to illustrate the essential use of Java applets through its java.applet package. It also uses classes from the Java Abstract Window Toolkit (AWT) for producing actual output (in this case, the "Hello, world!" message). import java.applet.Applet; import java.awt.*;

// Applet code for the "Hello, world!" example. // This should be saved in a file named as "HelloWorld.java". public class HelloWorld extends Applet {

 // This method is mandatory, but can be empty (i.e., have no actual code).
 public void init() { }
 // This method is mandatory, but can be empty.(i.e.,have no actual code).
 public void stop() { }
 // Print a message on the screen (x=20, y=10).
 public void paint(Graphics g) {
   g.drawString("Hello, world!", 20,10);
 }

}

More simple applets are available at Wikiversity.[23]

For compilation, this code is saved on a plain-ASCII file with the same name as the class and .java extension, i.e. HelloWorld.java. The resulting HelloWorld.class applet should be installed on the web server and is invoked within an HTML page by using an or an tag. For example:
 "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 

HelloWorld_example.html

A Java applet example

Here it is: This is where HelloWorld.class runs.

Displaying the HelloWorld_example.html page from a Web server, the result should look as this:

A Java applet example

Here it is: Hello, world!

To minimize download time, applets are usually delivered in a form of compressed zip archive (having jar extension). If all needed classes (only one in our case) are placed in compressed archive example.jar, the embedding code would look differently:

Here it is: This is where HelloWorld.class runs.

Applet inclusion is described in detail in Sun's official page about the APPLET tag.[24]

Advantages

A Java applet can have any or all of the following advantages:

  • It is simple to make it work on Linux, Microsoft Windows and Mac OS X i.e. to make it cross platform. Applets are supported by most web browsers.
  • The same applet can work on "all" installed versions of Java at the same time, rather than just the latest plug-in version only. However, if an applet requires a later version of the Java Runtime Environment (JRE) the client will be forced to wait during the large download.
  • Most web browsers cache applets, so will be quick to load when returning to a web page. Applets also improve with use: after a first applet is run, the JVM is already running and starts quickly (the JVM will need to restart each time the browser starts afresh).
  • It can move the work from the server to the client, making a web solution more scalable with the number of users/clients.
  • If a standalone program (like Google Earth) talks to a web server, that server normally needs to support all previous versions in case a user has not kept his or her client software up to date. In contrast, a properly configured browser loads (and caches) the latest applet version, so there is no need to support legacy versions.
  • The applet naturally supports the changing user state, such as figure positions on the chessboard.
  • Developers can develop and debug an applet direct simply by creating a main routine (either in the applet's class or in a separate class) and calling init() and start() on the applet, thus allowing for development in their favorite Java SE development environment. All one has to do after that is re-test the applet in the AppletViewer program or a web browser to ensure it conforms to security restrictions.
  • An untrusted applet has no access to the local machine and can only access the server it came from. This makes such an applet much safer to run than a standalone executable that it could replace. However, a signed applet can have full access to the machine it is running on if the user agrees.

Disadvantages

A Java applet may have any of the following disadvantages:

  • It requires the Java plug-in.
  • Some organizations only allow software installed by the administrators. As a result, some users can only view applets that are important enough to justify contacting the administrator to request installation of the Java plug-in.
  • As with any client-side scripting, security restrictions may make it difficult or even impossible for an untrusted applet to achieve the desired goals.
  • Some applets require a specific JRE. This is discouraged.[25]
  • If an applet requires a newer JRE than available on the system, or a specific JRE, the user running it the first time will need to wait for the large JRE download to complete.
  • Java automatic installation or update may fail if a proxy server is used to access the web. This makes applets with specific requirements impossible to run unless Java is manually updated. The Java automatic updater that is part of a Java installation also may be complex to configure if it must work through a proxy.
  • Unlike the older applet tag, the object tag needs workarounds to write a cross-browser HTML document.

Compatibility related lawsuits

Sun has made a considerable effort to ensure compatibility is maintained between Java versions as they evolve, enforcing Java portability by law if required. Oracle seems to be continuing the same strategy.

The 1997 Sun - Microsoft lawsuit

The 1997 lawsuit [26] was filed after Microsoft modified its own Java Virtual Machine which shipped with Internet Explorer. Microsoft added about 50 methods and 50 fields[26] into the classes within the java.awt, java.lang, and java.io packages. Other modifications included removal of RMI capability and replacement of Java native interface from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and for a limited time.[27]

The 2002 Sun - Microsoft lawsuit

Microsoft continued to ship its own unmodified Java virtual machine. Over years it has become extremely outdated yet still default for Internet Explorer. In 2002 Sun filed an antitrust lawsuit, claiming that Microsoft's attempts at illegal monopolization have harmed the Java platform. Sun demanded Microsoft distribute Sun's current, binary implementation of Java technology as part of Windows, distribute it as a recommended update for older Microsoft desktop operating systems and stop the distribution of Microsoft's Virtual Machine (as its licensing time, agreed in the previous lawsuit, had expired).[27] Microsoft paid $700 million for pending antitrust issues, another $900 million for patent issues and a $350 million royalty fee to use Sun's software in the future.[28][29]

The 2010 Oracle - Google lawsuit

Google has developed their own Android platform that uses Java features and concepts yet is not compatible with standard libraries. This has been a violation of conditions under that Sun granted OpenJDK patents to use open source Java for all.[30] 2010 Oracle sued Google [31] for using Java "in a wrong way", claiming that "Google’s Android competes with Oracle America’s Java" and that "Google has been aware of Sun’s patent portfolio .. since Google hired certain former Sun Java engineers". Oracle currently seems claiming as much as to stop the further Android development, trying to replace it by standard Java version.[32] This lawsuit is currently ongoing.

Applet security

There are two applet types with very different security models: signed applets and unsigned applets.[33]

Unsigned applet

Limitations for the unsigned applets are understood as "draconian":[34] they have no access to the local filesystem and web access limited to the applet download site; there are also many other important restrictions. For instance, they cannot access system properties, use their own class loader, call native code, execute external commands on a local system or redefine classes belonging to certain packages.[clarification needed] While they can run in a standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as an access controller checks the entire stack of the calling code to be sure the call is not coming from an improper location.

As with any complex system, multiple security problems have been discovered and fixed since Java was first released. Some of these (like the Calendar serialization security bug[35]) persisted for many years without anybody being aware. However it seems that most (if not all) security holes are closed before anybody being able to exploit them in a larger scale.

Some studies mention applets crashing the browser or overusing CPU resources but these are classified as nuisances[36] and not as true security flaws. However, unsigned applets may be involved in combined attacks that exploit a combination of multiple severe configuration errors in other parts of the system.[37] An unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DoS attacks on the server where it is hosted but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain.[38][39]

As of 1999 no real security breaches involving unsigned applets have ever been publicly reported.[36][40] Using an up-to-date Web browser is usually enough to be safe against the known attacks from unsigned applets.

Signed applet

A signed applet[41] contains a signature that the browser should verify through a remotely running, independent certificate authority server. Producing this signature involves specialized tools and interaction with the authority server maintainers. Once the signature is verified, and the user of the current machine also approves, a signed applet can get more rights, becoming equivalent to an ordinary standalone program. The rationale is that the author of the applet is now known and will be responsible for any deliberate damage.[vague] This approach allows applets to be used for many tasks that are otherwise not possible by client-side scripting. However, this approach requires more responsibility from the user, deciding whom he or she trusts. The related concerns include a non-responsive authority server, wrong evaluation of the signer identity when issuing certificates, and known applet publishers still doing something that the user would not approve of. Hence signed applets that appeared from Java 1.1 may actually have more security concerns.[42]

Self signed applet

Self-signed applets, which are applets signed by the developer themselves, may potentially pose a security risk; java plugins provide a warning when requesting authorisation for a self-signed applet, as the function and safety of the applet is guaranteed only by the developer itself, and has not been independently confirmed. Such self-signed certificates are usually only used during development prior to release where third-party confirmation of security is unimportant, but most applet developers will seek third-party signing to ensure that users trust the applet's safety.

Java security problems are not fundamentally different from similar problems of any client-side scripting platform. In particular, all issues related to signed applets also apply to Microsoft ActiveX components.

Alternatives

Alternative technologies exist (for example, JavaScript, Curl, Flash, and Microsoft Silverlight) that satisfy some of the scope of what is possible with an applet. Of these, JavaScript is not always viewed as a competing replacement; JavaScript can coexist with applets in the same page, assist in launching applets (for instance, in a separate frame or providing platform workarounds) and later be called from the applet code.[43] JavaFX that is an extension of Java platform may also be viewed as an alternative.

See also

Java portal

References

  1. ^ World of Fungi - page of the scientific project, serving an applet that is used as an illustration figure
  2. ^ The home site of the 3D protein viewer (Openastexviewer) under LGPL
  3. ^ a b The virtual hearth
  4. ^ The home site of the Mandelbrot set applet under GPL
  5. ^ The home site of the chess applet under BSD
  6. ^ Java.Sun.com
  7. ^ Jython applet page
  8. ^ About Java applets in Ruby
  9. ^ At tool to produce Java applets with SmartEiffel
  10. ^ Paul Falstad online applet portal
  11. ^ Jraft.com
  12. ^ ObjectPlanet.com, an applet that works as news ticker
  13. ^ Sferyx.com, a company that produces applets acting as WYSWYG editor.
  14. ^ Cortado applet to play ogg format
  15. ^ An example of the 2005 year performance benchmarking
  16. ^ JavaWorld.com
  17. ^ JavaChannel.net
  18. ^ W3.org
  19. ^ W3.org
  20. ^ a b Sun's position on applet and object tags
  21. ^ Criticism of APPLET tag deprecation
  22. ^ Java applet launcher from Oracle
  23. ^ Java applet section in Wikiversity
  24. ^ Java.Sun.com Sun's APPLET tag page
  25. ^ Oracle notes on Java versioning
  26. ^ a b 1997 year Sun-Microsoft lawsuit in JavaWorld
  27. ^ a b Sun's page, devoted for the lawsuits against Microsoft
  28. ^ Sun - Microsoft 2002 lawsuit
  29. ^ Microsoft page devoted to the Sun - Microsoft 2002 lawsuit
  30. ^ [1]
  31. ^ Oracle sues Google over Android
  32. ^ Discussions on Oracle plans in mashable.com
  33. ^ Sun's explanation about applet security
  34. ^ Java Security FAQ Applet Security Restrictions by Mark Wutka
  35. ^ Description of Calendar serialization security bug
  36. ^ a b Java Security FAQ
  37. ^ Avirubin.com
  38. ^ Strategy.Wikimedia.org, proposal with discussion about Java applets in community sites
  39. ^ Ultrastudio.org, user editable educational site with full applet support
  40. ^ ~ G.McGraw, E.W. Felten. Securing Java. ISBN 047131952X
  41. ^ Informit.com
  42. ^ Sid Stamm, Markus Jakobsson, Mona Gandhi (2006). A study in socially transmitted malware
  43. ^ Rgagnon.com, calling a Java applet from JavaScript

External links


Advertisements






Got something to say? Make a comment.
Your name
Your email address
Message