Java applet: Difference between revisions
FreeFlow99 (talk | contribs) m added NetRexx (previously omitted) |
fix tense problems throughout, and copyedit |
||
Line 17: | Line 17: | ||
Java applets run at very fast speeds and until 2011, they were many times faster than [[JavaScript]].{{citation needed|reason=There's a claim being made with no evidence of its truth. Speed is also an ambiguous term here. They most certainly had massive start time overhead.|date=June 2021}} Unlike JavaScript, Java applets had access to 3D [[hardware acceleration]], making them well-suited for non-trivial, computation-intensive visualizations. As browsers have gained support for hardware-accelerated graphics thanks to the [[canvas element|canvas]] technology (or specifically [[WebGL]] in the case of 3D graphics),<ref>{{cite web |url=https://developer.mozilla.org/en-US/docs/Web/HTML/Element/canvas#Browser_compatibility|title=canvas - HTML|publisher=Mozilla Developer Network|access-date=15 August 2015}}</ref><ref>{{cite web |url= https://developer.mozilla.org/en-US/docs/Web/enwiki/api/WebGL_API#Browser_compatibility|title=WebGL - Web API Interfaces|publisher=Mozilla Developer Network|access-date=15 August 2015}}</ref> as well as [[just-in-time compilation|just-in-time compiled]] JavaScript,<ref>{{cite web|url=https://developers.google.com/v8/design?hl=en|title=Design Elements - Chrome V8|access-date=15 August 2015}}</ref> the speed difference has become less noticeable.{{citation needed|reason=there is no evidence of the less noticeable speed difference in the previous citations especially with WebGL whereas some unverifiable sources seem to show that it's a lot slower than JOGL: http://stackoverflow.com/questions/11087520/jogl-applets-versus-webgl|date=February 2016}} |
Java applets run at very fast speeds and until 2011, they were many times faster than [[JavaScript]].{{citation needed|reason=There's a claim being made with no evidence of its truth. Speed is also an ambiguous term here. They most certainly had massive start time overhead.|date=June 2021}} Unlike JavaScript, Java applets had access to 3D [[hardware acceleration]], making them well-suited for non-trivial, computation-intensive visualizations. As browsers have gained support for hardware-accelerated graphics thanks to the [[canvas element|canvas]] technology (or specifically [[WebGL]] in the case of 3D graphics),<ref>{{cite web |url=https://developer.mozilla.org/en-US/docs/Web/HTML/Element/canvas#Browser_compatibility|title=canvas - HTML|publisher=Mozilla Developer Network|access-date=15 August 2015}}</ref><ref>{{cite web |url= https://developer.mozilla.org/en-US/docs/Web/enwiki/api/WebGL_API#Browser_compatibility|title=WebGL - Web API Interfaces|publisher=Mozilla Developer Network|access-date=15 August 2015}}</ref> as well as [[just-in-time compilation|just-in-time compiled]] JavaScript,<ref>{{cite web|url=https://developers.google.com/v8/design?hl=en|title=Design Elements - Chrome V8|access-date=15 August 2015}}</ref> the speed difference has become less noticeable.{{citation needed|reason=there is no evidence of the less noticeable speed difference in the previous citations especially with WebGL whereas some unverifiable sources seem to show that it's a lot slower than JOGL: http://stackoverflow.com/questions/11087520/jogl-applets-versus-webgl|date=February 2016}} |
||
Since Java bytecode is [[cross-platform]] (or platform independent), Java applets |
Since Java bytecode is [[cross-platform]] (or platform independent), Java applets could be executed by [[client (computing)|client]]s for many platforms, including [[Microsoft Windows]], [[FreeBSD]], [[Unix]], [[macOS]] and [[Linux]]. They could not be run on mobile devices, which do not support running standard Oracle JVM bytecode. [[Android (operating system)|Android]] devices can run code written in Java compiled for the [[Android Runtime]]. |
||
== Overview == |
== Overview == |
||
Line 29: | Line 29: | ||
== Technical information == |
== Technical information == |
||
Most browsers executed Java applets in a ''[[sandbox (security)|sandbox]]'', preventing applets from accessing local data like the [[clipboard (software)|clipboard]] or [[file system]].{{Citation needed|date=March 2021}} The code of the applet |
Most browsers executed Java applets in a ''[[sandbox (security)|sandbox]]'', preventing applets from accessing local data like the [[clipboard (software)|clipboard]] or [[file system]].{{Citation needed|date=March 2021}} The code of the applet was downloaded from a [[web server]], after which the browser either [[compound document|embeded]] the applet into a web page or opened a new window showing the applet's [[user interface]]. |
||
A Java applet extends the class {{Javadoc:SE|package=java.applet|java/applet|Applet}}, or in the case of a [[Swing (Java)|Swing]] applet, {{Javadoc:SE|package=javax.swing|javax/swing|JApplet}}. The class which must override methods from the applet class to set up a user interface inside itself (<code>Applet</code>) is a descendant of {{Javadoc:SE|java/awt|Panel}} which is a descendant of {{Javadoc:SE|java/awt|Container}}. As applet inherits from container, it has largely the same user interface possibilities as an ordinary Java application, including regions with user specific visualization. <!-- I feel like there is something wrong here, as I'm not sure what it's trying to say. Maybe someone with more programming knowledge than myself can clarify here. --> |
|||
The first implementations involved downloading an applet class by class. While classes are small files, there are often many of them, so applets got a reputation as slow-loading components. However, since <code>[[JAR (file format)|.jar]]s</code> were introduced, an applet is usually delivered as a single file that has a size similar to an image file (hundreds of kilobytes to several megabytes). |
The first implementations involved downloading an applet class by class. While classes are small files, there are often many of them, so applets got a reputation as slow-loading components. However, since <code>[[JAR (file format)|.jar]]s</code> were introduced, an applet is usually delivered as a single file that has a size similar to an image file (hundreds of kilobytes to several megabytes). |
||
Line 38: | Line 36: | ||
=== Similar technologies === |
=== Similar technologies === |
||
Many Java developers, blogs and magazines |
Many Java developers, blogs and magazines reccomended that the [[Java Web Start]] technology be used in place of applets.<ref>{{cite web |last1=Srinivas |first1=Raghavan N. |date=2001-07-06 |df=dmy |url=https://www.infoworld.com/article/2075391/java-web-start-to-the-rescue.html |title=Java Web Start to the rescue |work=[[JavaWorld]] |access-date=2020-07-13}}</ref> Java Web Start allowed the launching of unmodified applet code, which then ran in a separate window (not inside the invoking browser). |
||
A [[Java Servlet]] is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets. |
A [[Java Servlet]] is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets. |
||
== Embedding into a web page == |
== Embedding into a web page == |
||
The applet |
The applet would be be displayed on the web page by making use of the deprecated <code>[[Img (HTML element)|applet]]</code> HTML element,<ref>{{cite web|url=http://www.w3.org/TR/html401/struct/objects.html#edef-APPLET|title=W3.org}}</ref> or the recommended <code>object</code> element.<ref>{{cite web|url=http://www.w3.org/TR/html401/struct/objects.html#edef-OBJECT|title=W3.org}}</ref> The <code>embed</code> element can be used<ref name="java">{{cite web|url=http://www.java.com/en/download/manual.jsp |title=Java Downloads for All Operating Systems |publisher=Java.com |date=14 August 2012 |access-date=2013-06-14}}</ref> with Mozilla family browsers (<code>embed</code> was deprecated in HTML 4 but is included in HTML 5). This specifies the applet's source and location. Both <code>object</code> and <code>embed</code> tags can also download and install Java virtual machine (if required) or at least lead to the plugin page. <code>applet</code> and <code>object</code> tags also support loading of the serialized applets that start in some particular (rather than initial) state. Tags also specify the message that shows up in place of the applet if the browser cannot run it due to any reason. |
||
However, despite <code>object</code> being officially a recommended tag |
However, despite <code>object</code> being officially a recommended tag in 2010, the support of the <code>object</code> tag was not yet consistent among browsers and Sun kept recommending the older <code>applet</code> tag for deploying in multibrowser environments,<ref name="ja">{{Cite web |url=http://download.java.net/jdk7/docs/technotes/guides/plugin/developer_guide/using_tags.html#object |title=Sun's position on applet and object tags |access-date=14 January 2010 |archive-url=https://web.archive.org/web/20100609015456/http://download.java.net/jdk7/docs/technotes/guides/plugin/developer_guide/using_tags.html#object |archive-date=9 June 2010 |url-status=dead }}</ref> as it remained the only tag consistently supported by the most popular browsers. To support multiple browsers, using the <code>object</code> tag to embed an applet would require JavaScript (that recognizes the browser and adjusts the tag), usage of additional browser-specific tags or delivering adapted output from the server side. |
||
The Java browser plug-in |
The Java browser plug-in relied on [[NPAPI]], which nearly all web browser vendors have removed support for, or do not implement, due to its age and security issues. In January 2016, Oracle announced that Java runtime environments based on JDK 9 will discontinue the browser plug-in.<ref name="ars-nopluginjdk9">{{cite web|title=Oracle deprecates the Java browser plugin, prepares for its demise|url=https://arstechnica.com/information-technology/2016/01/oracle-deprecates-the-java-browser-plugin-prepares-for-its-demise/|website=Ars Technica|access-date=15 April 2016}}</ref> |
||
== Advantages == |
== Advantages == |
||
A Java applet |
A Java applet could have any or all of the following advantages:<ref>[http://download.oracle.com/javase/tutorial/deployment/applet/index.html Oracle official] overview on Java applet technology</ref> |
||
* It |
* It was simple to make it work on FreeBSD, Linux, Microsoft Windows and macOS{{snd}} that is, to make it cross-platform. Applets were supported by most [[web browser]]s through the first decade of the 21st century; since then, however, most browsers have dropped applet support for security reasons. |
||
* The same applet |
* The same applet would work on "all" installed versions of Java at the same time, rather than just the latest [[plug-in (computing)|plug-in]] version only. However, if an applet requires a later version of the [[Java Virtual Machine|Java Runtime Environment]] (JRE) the client would be forced to wait during the large download. |
||
* Most web browsers [[web cache| |
* Most web browsers [[web cache|cached]] applets so they were quick to load when returning to a web page. Applets also improved with use: after a first applet is run, the JVM was already running and subsequent applets started quickly (the JVM will need to restart each time the browser starts afresh). JRE versions 1.5 and greater restarted the JVM when the browser navigates between pages, as a security measure which removed that performance gain. |
||
* It |
* It moved work from the [[server (computing)|server]] to the [[client (computing)|client]], making a web solution more scalable with the number of users/clients. |
||
* If a standalone program (like [[Google Earth]]) talks to a web server, that server normally needs to support all prior versions for users who have not kept their client software updated. In contrast, a |
* If a standalone program (like [[Google Earth]]) talks to a web server, that server normally needs to support all prior versions for users who have not kept their client software updated. In contrast, a browser loaded (and cached) the latest applet version, so there is no need to support legacy versions. |
||
* |
* Applet naturally supported changing user state, such as figure positions on the chessboard. |
||
* Developers |
* Developers could develop and debug an applet directly simply by creating a main routine (either in the applet's class or in a separate class) and calling init() and start() on the applet, thus allowing for development in their favorite [[Java Platform, Standard Edition|Java SE]] development environment. All one had to do was to re-test the applet in the AppletViewer program or a web browser to ensure it conforms to security restrictions. |
||
* An [[Browser security|untrusted]] applet |
* An [[Browser security|untrusted]] applet had no access to the local machine and can only access the server it came from. This makes applets much safer to run than the native executables that they would replace. However, a signed applet could have full access to the machine it is running on, if the user agreed. |
||
* Java applets |
* Java applets were fast, with [[Java performance|similar performance]] to natively installed software. |
||
== Disadvantages == |
== Disadvantages == |
||
{{more citations needed section|date=August 2015}} |
{{more citations needed section|date=August 2015}} |
||
Java applets had the following disadvantages compared to other client-side web technologies: |
|||
* Java applets depend on a Java Runtime Environment (JRE), |
* Java applets would depend on a Java Runtime Environment (JRE), a complex and heavy-weight software package. They also normally required a [[plug-in (computing)|plug-in]] for the web browser. Some organizations only allow software installed by an administrator. As a result, users were unable to view applets unless one was important enough to justify contacting the administrator to request installation of the JRE and plug-in. |
||
* If an applet requires a newer JRE than available on the system |
* If an applet requires a newer JRE than available on the system, the user running it the first time will need to wait for the large JRE download to complete. |
||
* Mobile browsers on [[iOS]] or [[Android (operating system)|Android]], |
* Mobile browsers on [[iOS]] or [[Android (operating system)|Android]], never Java applets at all.<ref>{{cite web|url=http://www.java.com/en/download/faq/java_mobile.xml|title=How do I get Java for Mobile device?|date=30 July 2014}}</ref> Even before the deprecation of applets on all platforms, desktop browsers phased out Java applet support concurrently with the rise of mobile operating systems. |
||
⚫ | |||
* Unlike the older <code>applet</code> tag, the <code>object</code> tag needs workarounds to write a cross-browser HTML document. |
|||
⚫ | * As with any client-side scripting, security restrictions made it difficult or even impossible for some untrusted applets to achieve their desired goals. Only by editing the java.policy file in the JAVA JRE installation could one grant access to the local filesystem or system clipboard, or to network sources other than the one that served the applet to the browser. |
||
⚫ | |||
⚫ | |||
⚫ | * As with any client-side scripting, security restrictions |
||
⚫ | * Most users |
||
== Compatibility-related lawsuits == |
== Compatibility-related lawsuits == |
||
Line 84: | Line 81: | ||
== Security == |
== Security == |
||
{{POV section|date=November 2021}} |
|||
There |
There were two applet types with very different security models: signed applets and unsigned applets.<ref>{{cite web|url=http://java.sun.com/docs/books/tutorial/deployment/applet/security.html|title=Sun's explanation about applet security}}</ref> Starting with Java SE 7 Update 21 (April 2013) applets and Web-Start Apps are encouraged to be signed with a trusted certificate, and warning messages appear when running unsigned applets.<ref>{{Cite web|url = http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html#60|title = Java Applet & Web Start - Code Signing|access-date = 28 February 2014|publisher = Oracle}}</ref> Further, starting with Java 7 Update 51 unsigned applets were blocked by default; they could be run by creating an exception in the Java Control Panel.<ref>{{Cite web|url = http://java.com/en/download/help/appsecuritydialogs.xml|title = What should I do when I see a security prompt from Java?|access-date = 28 February 2014|publisher = Oracle}}</ref> |
||
=== Unsigned ===<!-- I didn't really bother with cleaning up the tense of these sections: they need a full rewrite, due to substantial NPOV problems --> |
|||
⚫ | Limits on unsigned applets were understood as "draconian": they have no access to the local filesystem and web access limited to the applet download site; there are also many other important restrictions. For instance, they cannot access all system properties, use their own [[class loader]], call [[native code]], execute external commands on a local system or redefine classes belonging to core packages included as part of a Java release. While they can run in a standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as an access controller checks the entire [[Call stack|stack]] of the calling code to be sure the call is not coming from an improper location. |
||
=== Unsigned === |
|||
⚫ | Limits on unsigned applets |
||
As with any complex system, many security problems have been discovered and fixed since Java was first released. Some of these (like the Calendar serialization security bug) persisted for many years with nobody being aware. Others have been discovered in use by malware in the wild.{{citation needed|date=September 2013}} |
As with any complex system, many security problems have been discovered and fixed since Java was first released. Some of these (like the Calendar serialization security bug) persisted for many years with nobody being aware. Others have been discovered in use by malware in the wild.{{citation needed|date=September 2013}} |
||
Line 106: | Line 105: | ||
== Alternatives == |
== Alternatives == |
||
Alternative technologies exist (for example, [[WebAssembly]]<ref>{{Cite web|title=Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems|url=https://www.theregister.com/2019/03/29/mozilla_wasi_spec/|access-date=2020-10-06|website=www.theregister.com|language=en}}</ref> and [[JavaScript]]) that satisfy all or more of the scope of what |
Alternative technologies exist (for example, [[WebAssembly]]<ref>{{Cite web|title=Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems|url=https://www.theregister.com/2019/03/29/mozilla_wasi_spec/|access-date=2020-10-06|website=www.theregister.com|language=en}}</ref> and [[JavaScript]]) that satisfy all or more of the scope of what was possible with an applet. JavaScript could coexist with applets in the same page, assist in launching applets (for instance, in a separate frame or providing platform workarounds) and later be called from the applet code. As Javascript gained in features and preformance, the support for and use of applets declined, until their eventual removal. |
||
== See also ==<!-- PLEASE RESPECT ALPHABETICAL ORDER --> |
== See also ==<!-- PLEASE RESPECT ALPHABETICAL ORDER --> |
Revision as of 23:48, 25 November 2021
Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a web page, and the applet was then executed within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet could appear in a frame of the web page, a new application window, Sun's AppletViewer, or a stand-alone tool for testing applets.
Java applets were introduced in the first version of the Java language, which was released in 1995. Beginning in 2013, major web browsers began to phase out support for the underlying technology applets used to run, with applets becoming completely unable to be run by 2015–2017. Java applets were deprecated since Java 9 in 2017.[6][7][8][9][10]
Java applets were usually written in Java, but other languages such as Jython, JRuby, Pascal,[11] Scala, NetRexx, or Eiffel (via SmartEiffel) could be used as well.
Java applets run at very fast speeds and until 2011, they were many times faster than JavaScript.[citation needed] Unlike JavaScript, Java applets had access to 3D hardware acceleration, making them well-suited for non-trivial, computation-intensive visualizations. As browsers have gained support for hardware-accelerated graphics thanks to the canvas technology (or specifically WebGL in the case of 3D graphics),[12][13] as well as just-in-time compiled JavaScript,[14] the speed difference has become less noticeable.[citation needed]
Since Java bytecode is cross-platform (or platform independent), Java applets could be executed by clients for many platforms, including Microsoft Windows, FreeBSD, Unix, macOS and Linux. They could not be run on mobile devices, which do not support running standard Oracle JVM bytecode. Android devices can run code written in Java compiled for the Android Runtime.
Overview
The applets are used to provide interactive features to web applications that cannot be provided by HTML alone. They can capture mouse input and also have controls like buttons or check boxes. In response to user actions, an applet can change the provided graphic content. This makes applets well-suited for demonstration, visualization, and teaching. There are online applet collections for studying various subjects, from physics to heart physiology.
An applet can also be a text area only; providing, for instance, a cross-platform command-line interface to some remote system. If needed, an applet can leave the dedicated area and run as a separate window. However, applets have very little control over web page content outside the applet's dedicated area, so they are less useful for improving the site appearance in general, unlike other types of browser extensions (while applets like news tickers or WYSIWYG editors are also known). Applets can also play media in formats that are not natively supported by the browser.
Pages coded in HTML may embed parameters within them that are passed to the applet. Because of this, the same applet may have a different appearance depending on the parameters that were passed.
As applets were available before HTML5, modern CSS and JavaScript interface DOM were standard, they were also widely used for trivial effects such as mouseover and navigation buttons. This approach, which posed major problems for accessibility and misused system resources, is no longer in use and was strongly discouraged even at the time.
Technical information
Most browsers executed Java applets in a sandbox, preventing applets from accessing local data like the clipboard or file system.[citation needed] The code of the applet was downloaded from a web server, after which the browser either embeded the applet into a web page or opened a new window showing the applet's user interface.
The first implementations involved downloading an applet class by class. While classes are small files, there are often many of them, so applets got a reputation as slow-loading components. However, since .jars
were introduced, an applet is usually delivered as a single file that has a size similar to an image file (hundreds of kilobytes to several megabytes).
Java system libraries and runtimes are backwards-compatible, allowing one to write code that runs both on current and on future versions of the Java virtual machine.
Similar technologies
Many Java developers, blogs and magazines reccomended that the Java Web Start technology be used in place of applets.[15] Java Web Start allowed the launching of unmodified applet code, which then ran in a separate window (not inside the invoking browser).
A Java Servlet is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets.
Embedding into a web page
The applet would be be displayed on the web page by making use of the deprecated applet
HTML element,[16] or the recommended object
element.[17] The embed
element can be used[18] with Mozilla family browsers (embed
was deprecated in HTML 4 but is included in HTML 5). This specifies the applet's source and location. Both object
and embed
tags can also download and install Java virtual machine (if required) or at least lead to the plugin page. applet
and object
tags also support loading of the serialized applets that start in some particular (rather than initial) state. Tags also specify the message that shows up in place of the applet if the browser cannot run it due to any reason.
However, despite object
being officially a recommended tag in 2010, the support of the object
tag was not yet consistent among browsers and Sun kept recommending the older applet
tag for deploying in multibrowser environments,[19] as it remained the only tag consistently supported by the most popular browsers. To support multiple browsers, using the object
tag to embed an applet would require JavaScript (that recognizes the browser and adjusts the tag), usage of additional browser-specific tags or delivering adapted output from the server side.
The Java browser plug-in relied on NPAPI, which nearly all web browser vendors have removed support for, or do not implement, due to its age and security issues. In January 2016, Oracle announced that Java runtime environments based on JDK 9 will discontinue the browser plug-in.[20]
Advantages
A Java applet could have any or all of the following advantages:[21]
- It was simple to make it work on FreeBSD, Linux, Microsoft Windows and macOS – that is, to make it cross-platform. Applets were supported by most web browsers through the first decade of the 21st century; since then, however, most browsers have dropped applet support for security reasons.
- The same applet would work on "all" installed versions of Java at the same time, rather than just the latest plug-in version only. However, if an applet requires a later version of the Java Runtime Environment (JRE) the client would be forced to wait during the large download.
- Most web browsers cached applets so they were quick to load when returning to a web page. Applets also improved with use: after a first applet is run, the JVM was already running and subsequent applets started quickly (the JVM will need to restart each time the browser starts afresh). JRE versions 1.5 and greater restarted the JVM when the browser navigates between pages, as a security measure which removed that performance gain.
- It moved work from the server to the client, making a web solution more scalable with the number of users/clients.
- If a standalone program (like Google Earth) talks to a web server, that server normally needs to support all prior versions for users who have not kept their client software updated. In contrast, a browser loaded (and cached) the latest applet version, so there is no need to support legacy versions.
- Applet naturally supported changing user state, such as figure positions on the chessboard.
- Developers could develop and debug an applet directly simply by creating a main routine (either in the applet's class or in a separate class) and calling init() and start() on the applet, thus allowing for development in their favorite Java SE development environment. All one had to do was to re-test the applet in the AppletViewer program or a web browser to ensure it conforms to security restrictions.
- An untrusted applet had no access to the local machine and can only access the server it came from. This makes applets much safer to run than the native executables that they would replace. However, a signed applet could have full access to the machine it is running on, if the user agreed.
- Java applets were fast, with similar performance to natively installed software.
Disadvantages
This section needs additional citations for verification. (August 2015) |
Java applets had the following disadvantages compared to other client-side web technologies:
- Java applets would depend on a Java Runtime Environment (JRE), a complex and heavy-weight software package. They also normally required a plug-in for the web browser. Some organizations only allow software installed by an administrator. As a result, users were unable to view applets unless one was important enough to justify contacting the administrator to request installation of the JRE and plug-in.
- If an applet requires a newer JRE than available on the system, the user running it the first time will need to wait for the large JRE download to complete.
- Mobile browsers on iOS or Android, never Java applets at all.[22] Even before the deprecation of applets on all platforms, desktop browsers phased out Java applet support concurrently with the rise of mobile operating systems.
- There was no standard to make the content of applets available to screen readers. Therefore, applets harmed the accessibility of a web site to users with special needs.
- As with any client-side scripting, security restrictions made it difficult or even impossible for some untrusted applets to achieve their desired goals. Only by editing the java.policy file in the JAVA JRE installation could one grant access to the local filesystem or system clipboard, or to network sources other than the one that served the applet to the browser.
- Most users did not care about the difference between untrusted and trusted applets, so this distinction did not help much with security. The ability to run untrusted applets was eventually removed entirely to fix this, before all applets were removed.
Compatibility-related lawsuits
Sun made considerable efforts to ensure compatibility is maintained between Java versions as they evolve, enforcing Java portability by law if required. Oracle seems to be continuing the same strategy.
1997: Sun vs Microsoft
The 1997 lawsuit,[23] was filed after Microsoft created a modified Java Virtual Machine of their own, which shipped with Internet Explorer. Microsoft added about 50 methods and 50 fields[23] into the classes within the java.awt, java.lang, and java.io packages. Other modifications included removal of RMI capability and replacement of Java native interface from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and for a limited time.[24]
2002: Sun vs Microsoft
Microsoft continued to ship its own unmodified Java virtual machine. Over the years it became extremely outdated yet still default for Internet Explorer. A later study revealed that applets of this time often contain their own classes that mirror Swing and other newer features in a limited way.[25] In 2002, Sun filed an antitrust lawsuit, claiming that Microsoft's attempts at illegal monopolization had harmed the Java platform. Sun demanded Microsoft distribute Sun's current, binary implementation of Java technology as part of Windows, distribute it as a recommended update for older Microsoft desktop operating systems and stop the distribution of Microsoft's Virtual Machine (as its licensing time, agreed in the prior lawsuit, had expired).[24] Microsoft paid $700 million for pending antitrust issues, another $900 million for patent issues and a $350 million royalty fee to use Sun's software in the future.[26][non-primary source needed]
Security
There were two applet types with very different security models: signed applets and unsigned applets.[27] Starting with Java SE 7 Update 21 (April 2013) applets and Web-Start Apps are encouraged to be signed with a trusted certificate, and warning messages appear when running unsigned applets.[28] Further, starting with Java 7 Update 51 unsigned applets were blocked by default; they could be run by creating an exception in the Java Control Panel.[29]
Unsigned
Limits on unsigned applets were understood as "draconian": they have no access to the local filesystem and web access limited to the applet download site; there are also many other important restrictions. For instance, they cannot access all system properties, use their own class loader, call native code, execute external commands on a local system or redefine classes belonging to core packages included as part of a Java release. While they can run in a standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as an access controller checks the entire stack of the calling code to be sure the call is not coming from an improper location.
As with any complex system, many security problems have been discovered and fixed since Java was first released. Some of these (like the Calendar serialization security bug) persisted for many years with nobody being aware. Others have been discovered in use by malware in the wild.[citation needed]
Some studies mention applets crashing the browser or overusing CPU resources but these are classified as nuisances and not as true security flaws. However, unsigned applets may be involved in combined attacks that exploit a combination of multiple severe configuration errors in other parts of the system. An unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DoS attacks on the server where it is hosted, but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain.
The unsigned applet can also try to download malware hosted on originating server. However it could only store such file into a temporary folder (as it is transient data) and has no means to complete the attack by executing it. There were attempts to use applets for spreading Phoenix and Siberia exploits this way,[citation needed] but these exploits do not use Java internally and were also distributed in several other ways.
Signed
A signed applet[30] contains a signature that the browser should verify through a remotely running, independent certificate authority server. Producing this signature involves specialized tools and interaction with the authority server maintainers. Once the signature is verified, and the user of the current machine also approves, a signed applet can get more rights, becoming equivalent to an ordinary standalone program. The rationale is that the author of the applet is now known and will be responsible for any deliberate damage.[vague] This approach allows applets to be used for many tasks that are otherwise not possible by client-side scripting. However, this approach requires more responsibility from the user, deciding whom he or she trusts. The related concerns include a non-responsive authority server, wrong evaluation of the signer identity when issuing certificates, and known applet publishers still doing something that the user would not approve of. Hence signed applets that appeared from Java 1.1 may actually have more security concerns.
Self-signed
Self-signed applets, which are applets signed by the developer themselves, may potentially pose a security risk; java plugins provide a warning when requesting authorization for a self-signed applet, as the function and safety of the applet is guaranteed only by the developer itself, and has not been independently confirmed. Such self-signed certificates are usually only used during development prior to release where third-party confirmation of security is unimportant, but most applet developers will seek third-party signing to ensure that users trust the applet's safety.
Java security problems are not fundamentally different from similar problems of any client-side scripting platform[31][citation needed]. In particular, all issues related to signed applets also apply to Microsoft ActiveX components.
As of 2014, self-signed and unsigned applets are no longer accepted by the commonly available Java plugins or Java Web Start. Consequently, developers who wish to deploy Java applets have no alternative but to acquire trusted certificates from commercial sources.
Alternatives
Alternative technologies exist (for example, WebAssembly[32] and JavaScript) that satisfy all or more of the scope of what was possible with an applet. JavaScript could coexist with applets in the same page, assist in launching applets (for instance, in a separate frame or providing platform workarounds) and later be called from the applet code. As Javascript gained in features and preformance, the support for and use of applets declined, until their eventual removal.
See also
- ActiveX
- Curl (programming language)
- Jakarta Servlet
- Java Web Start
- JavaFX
- Rich web application
- WebGL
References
- ^ "The home site of the 3D protein viewer (Openastexviewer) under LGPL". Archived from the original on 1 August 2009. Retrieved 21 September 2009.
- ^ "The virtual hearth".
- ^ "The home site of the Mandelbrot set applet under GPL". Archived from the original on 8 May 2013. Retrieved 29 July 2013.
- ^ "The home site of the chess applet under BSD". Archived from the original on 7 September 2009.
- ^ "Java.Sun.com".
- ^ "Java 9 Release Notes".
- ^ "JEP 289: Deprecate the Applet API".
- ^ "JPG blog: Moving to a Plugin-Free Web".
- ^ "JPG blog: Further Updates to 'Moving to a Plugin-Free Web'".
- ^ http://www.oracle.com/technetwork/java/javase/javaclientroadmapupdate2018mar-4414431.pdf
- ^ "Free Pascal Compiler for JVM".
- ^ "canvas - HTML". Mozilla Developer Network. Retrieved 15 August 2015.
- ^ "WebGL - Web API Interfaces". Mozilla Developer Network. Retrieved 15 August 2015.
- ^ "Design Elements - Chrome V8". Retrieved 15 August 2015.
- ^ Srinivas, Raghavan N. (6 July 2001). "Java Web Start to the rescue". JavaWorld. Retrieved 2020-07-13.
- ^ "W3.org".
- ^ "W3.org".
- ^ "Java Downloads for All Operating Systems". Java.com. 14 August 2012. Retrieved 14 June 2013.
- ^ "Sun's position on applet and object tags". Archived from the original on 9 June 2010. Retrieved 14 January 2010.
- ^ "Oracle deprecates the Java browser plugin, prepares for its demise". Ars Technica. Retrieved 15 April 2016.
- ^ Oracle official overview on Java applet technology
- ^ "How do I get Java for Mobile device?". 30 July 2014.
- ^ a b Zukowski, John (1 October 1997). "What does Sun's lawsuit against Microsoft mean for Java developers?". JavaWorld. Retrieved 2020-07-13.
- ^ a b "Sun's page, devoted for the lawsuits against Microsoft". Archived from the original on 19 August 2009.
- ^ Kenai.com (2011) Archived 23 August 2011 at the Wayback Machine Most common problems, found in the code of the reviewed applets.
- ^ Microsoft page devoted to the Sun - Microsoft 2002 lawsuit Archived 25 February 2010 at the Wayback Machine
- ^ "Sun's explanation about applet security".
- ^ "Java Applet & Web Start - Code Signing". Oracle. Retrieved 28 February 2014.
- ^ "What should I do when I see a security prompt from Java?". Oracle. Retrieved 28 February 2014.
- ^ "Informit.com".
- ^ "To be fair, significantly more World Wide Web users use the Netscape product than use the Microsoft product today, though the gap appears to be closing". www.wiley.com. Retrieved 17 March 2017.
- ^ "Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems". www.theregister.com. Retrieved 6 October 2020.
External links
- Latest version of Sun Microsystems' Java Virtual Machine (includes browser plug-ins for running Java applets in most web browsers).
- Information about writing applets from Oracle
- Demonstration applets from Sun Microsystems (JDK 1.4 – include source code)