Is Oracle killing intranet applets on JRE 7 update 51?

Asked 18/10, 2013 at 1:58 Answered 7/1, 2014 at 19:8

Refer to New security requirements for RIAs in 7u51 (January 2014) .

RIAs must contain two things:

Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.

Manifest Attributes

Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.

Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code (e.g. intranet.example.com).

ref another post on stackoverflow, I have the same concern that certificate is expensive for intranet use.
Sign applet and deploy it in intranet.

I am planning to start a new intranet project, should I give up the consideration on applet?
All of my intranet user do not have the ability to connect outside internet, they are in closed network, I highly doubt the need of signed applet......?

Hoagland answered 18/10, 2013 at 1:58 Comment(8)

"I am planning to start a new intranet project, should I give up the consideration on applet?" Avoid applets if humanly possible. That is advice I've been giving for a long while, before the latest slew of security updates. – Sorbose 18/10, 2013 at 2:10

@AndrewThompson: what about javafx? it's a nice technology and I think it runs pretty much the same way as applets. – Gyrose 18/10, 2013 at 4:31

"what about javafx?" What about it? To my eye, it already seems doomed. I thought it was taking a long time to migrate from "Here's a GUI toolkit we are playing with - you like?" to "This in in the JSE - deal with it". When it came to Java 7 that includes(?) Java-FX, I was surprised that there was no reference to Java-FX classes in the JSE Java Docs. From that I expected to see it migrated to the Java-Docs in Java 8 at the latest.. But then, I recently read that Oracle was planning to incorporate in in Java 9. ..?!? Too little, too late, for most people's tastes. – Sorbose 18/10, 2013 at 4:41

@DenisTulskiy JavaFX used like an applet is exposed as an applet, so it is really not an alternative for applet. (on using it, I tend to agree with this post - but not with the using applet part :) – Nerynesbit 18/10, 2013 at 4:48

Well probably take a look at WebStart... – Massorete 18/10, 2013 at 6:22

@AndrewThompson IIRC, JavaFX (2) was included in the Oracle JRE but was not in OpenJDK. – Curie 21/10, 2013 at 12:58

@TomHawtin-tackline Thanks for the info. I am leery of using any functionality that has a caveat like " but was not in ..JDK" though. It just does not seem cross-platform if it is not compatible across SDK/JREs. – Sorbose 21/10, 2013 at 13:15

@AndrewThompson There are many fine libraries that are not in the JDK. – Curie 21/10, 2013 at 13:35

I am planning to start a new intranet project, should I give up the consideration on applet?

Well, yes. Applets haven't been a very good technology choice for a long time, even without Oracles latest changes. If you can do the same using other technologies, that's usually better.

Some reasons:

continuous stream of vulnerabilities (which is why it should really be disabled by default on browsers)
resource intensive
separate access from the web page (act close to plugins)
deployment isn't very straightforward
doesn't have the tooling some alternatives have

The most serious reason is the vulnerability issue, but others play a role as well.

All of my intranet user do not have the ability to connect outside internet, they are in closed network, I highly doubt the need of signed applet......?

It's mandatory in the latest versions of java plugin, so you cannot really help that.

See this discussion on what's needed if you would like to keep on going with the applet. If you don't do it, it will not work on the latest versions of java.

Nerynesbit answered 18/10, 2013 at 4:25 Comment(0)

As a disclaimer, I am the author of the blog post that you linked to. Intranets are typically known communities where people have reasons to trust each other. If you do not want to purchase a code signing certificate, you can share your public certificate within the small network of trust. This works on an organizational scale but not so much internet-scale. Also for @TomHawtin above, OpenJFX is available.

Bookcraft answered 23/10, 2013 at 23:29 Comment(0)

I think another option if you want to stick with Applets would be the promised Exception Site List, which should be available in 1.7.0_51 as well, it still means that users need to adjust Java Applet Properties, but at least as far as I understand the post, it will make it possible to allow certain applets on the user machine.

Gyro answered 6/12, 2013 at 20:23 Comment(0)

As centic mentioned Dec 6 '13 at 20:23, the Exception Site List is a per user override to allow applets to run. Oracle help has been updated with this article How can I configure the Exception Site List.

Benefit answered 7/1, 2014 at 19:8 Comment(0)

RIAs must contain two things:

Recommended topics

Hot tags