Java applet

Last updated

A Java applet that was created as supplementary demonstration material for a scientific publication Java applet.png
A Java applet that was created as supplementary demonstration material for a scientific publication
A Java applet that uses 3D hardware acceleration to visualize 3D files in .pdb format downloaded from a server OpenAstexViewer.jpg
A Java applet that uses 3D hardware acceleration to visualize 3D files in .pdb format downloaded from a server
Using applet for nontrivial animation illustrating biophysical topic (randomly moving ions pass through voltage gates) Cardiac cells applet.png
Using applet for nontrivial animation illustrating biophysical topic (randomly moving ions pass through voltage gates)
Using a Java applet for computation - intensive visualization of the Mandelbrot set Mandelbrot java applet.png
Using a Java applet for computation  intensive visualization of the Mandelbrot set
Applets' running speed is sufficient for making e.g. nontrivial computer games that play chess. ChessApplet.png
Applets' running speed is sufficient for making e.g. nontrivial computer games that play chess.
NASA World Wind (open source) is a second generation applet that makes heavy use of OpenGL and on-demand data downloading to provide a detailed 3D map of the world. NASA World Wind.jpg
NASA World Wind (open source) is a second generation applet that makes heavy use of OpenGL and on-demand data downloading to provide a detailed 3D map of the world.
Web access to the server console at the hardware level with the help of a Java applet Remoteconsoleapplet.png
Web access to the server console at the hardware level with the help of a Java applet
Demonstration of image processing using two dimensional Fourier transform FFT2DApplet.png
Demonstration of image processing using two dimensional Fourier transform

Java applets are small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode.

Contents

At the time of their introduction, the intended use was for the user to launch the applet from a web page, and for the applet to then execute within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet could appear in a frame of the web page, a new application window, a program from Sun called appletviewer, [6] or a stand-alone tool for testing applets.[ clarification needed ]

Java applets were introduced in the first version of the Java language, which was released in 1995. Beginning in 2013, major web browsers began to phase out support for NPAPI, the underlying technology applets used to run. with applets becoming completely unable to be run by 20152017. Java applets were deprecated by Java 9 in 2017. [7] [8] [9] [10] [11]

Java applets were usually written in Java, but other languages such as Jython, JRuby, Pascal, [12] Scala, NetRexx, or Eiffel (via SmartEiffel) could be used as well.

Unlike early versions of JavaScript, Java applets had access to 3D hardware acceleration, making them well-suited for non-trivial, computation-intensive visualizations. Since applets' introduction, JavaScript has gained support for hardware-accelerated graphics via canvas technology (or specifically WebGL in the case of 3D graphics), [13] [14] as well as just-in-time compiled JavaScript, [15]

Since Java bytecode is cross-platform (or platform independent), Java applets could be executed by clients for many platforms, including Microsoft Windows, FreeBSD, Unix, macOS and Linux. They could not be run on mobile devices, which do not support running standard Oracle JVM bytecode. Android devices can run code written in Java compiled for the Android Runtime.

Overview

The applets are used to provide interactive features to web applications that cannot be provided by HTML alone. They can capture mouse input and also have controls like buttons or check boxes. In response to user actions, an applet can change the provided graphic content. This makes applets well-suited for demonstration, visualization, and teaching. There are online applet collections for studying various subjects, from physics to heart physiology.

An applet can also be a text area only; providing, for instance, a cross-platform command-line interface to some remote system. If needed, an applet can leave the dedicated area and run as a separate window. However, applets have very little control over web page content outside the applet's dedicated area, so they are less useful for improving the site appearance in general, unlike other types of browser extensions (while applets like news tickers or WYSIWYG editors are also known). Applets can also play media in formats that are not natively supported by the browser.

Pages coded in HTML may embed parameters within them that are passed to the applet. Because of this, the same applet may have a different appearance depending on the parameters that were passed.

As applets were available before HTML5, modern CSS and JavaScript interface DOM were standard, they were also widely used for trivial effects such as mouseover and navigation buttons. This approach, which posed major problems for accessibility and misused system resources, is no longer in use and was strongly discouraged even at the time.

Technical information

Most browsers executed Java applets in a sandbox , preventing applets from accessing local data like the file system. [16] The code of the applet was downloaded from a web server, after which the browser either embedded the applet into a web page or opened a new window showing the applet's user interface.

The first implementations involved downloading an applet class by class. While classes are small files, there are often many of them, so applets got a reputation as slow-loading components. However, since .jar files were introduced, an applet is usually delivered as a single file that has a size similar to an image file (hundreds of kilobytes to several megabytes).

Java system libraries and runtimes are backwards-compatible, allowing one to write code that runs both on current and on future versions of the Java virtual machine.

Similar technologies

Many Java developers, blogs and magazines recommended that the Java Web Start technology be used in place of applets. [17] Java Web Start allowed the launching of unmodified applet code, which then ran in a separate window (not inside the invoking browser).

A Java Servlet is sometimes informally compared to be "like" a server-side applet, but it is different in its language, functions, and in each of the characteristics described here about applets.

Embedding into a web page

The applet would be displayed on the web page by making use of the deprecated applet HTML element, [18] or the recommended object element. [19] The embed element can be used [20] with Mozilla family browsers (embed was deprecated in HTML 4 but is included in HTML 5). This specifies the applet's source and location. Both object and embed tags can also download and install Java virtual machine (if required) or at least lead to the plugin page. applet and object tags also support loading of the serialized applets that start in some particular (rather than initial) state. Tags also specify the message that shows up in place of the applet if the browser cannot run it due to any reason.

However, despite object being officially a recommended tag in 2010, the support of the object tag was not yet consistent among browsers and Sun kept recommending the older applet tag for deploying in multibrowser environments, [21] as it remained the only tag consistently supported by the most popular browsers. To support multiple browsers, using the object tag to embed an applet would require JavaScript (that recognizes the browser and adjusts the tag), usage of additional browser-specific tags or delivering adapted output from the server side.

The Java browser plug-in relied on NPAPI, which nearly all web browser vendors have removed support for, or do not implement, due to its age and security issues. In January 2016, Oracle announced that Java runtime environments based on JDK 9 will discontinue the browser plug-in. [22]

Advantages

A Java applet could have any or all of the following advantages: [23]

Disadvantages

Java applets had the following disadvantages compared to other client-side web technologies:

Sun made considerable efforts to ensure compatibility is maintained between Java versions as they evolve, enforcing Java portability by law if required. Oracle seems to be continuing the same strategy.

1997: Sun vs Microsoft

The 1997 lawsuit, [25] was filed after Microsoft created a modified Java Virtual Machine of their own, which shipped with Internet Explorer. Microsoft added about 50 methods and 50 fields [25] into the classes within the java.awt, java.lang, and java.io packages. Other modifications included removal of RMI capability and replacement of Java Native Interface from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and for a limited time. [26]

2002: Sun vs Microsoft

Microsoft continued to ship its own unmodified Java virtual machine. Over the years it became extremely outdated yet still default for Internet Explorer. A later study revealed that applets of this time often contain their own classes that mirror Swing and other newer features in a limited way. [27] In 2002, Sun filed an antitrust lawsuit, claiming that Microsoft's attempts at illegal monopolization had harmed the Java platform. Sun demanded Microsoft distribute Sun's current, binary implementation of Java technology as part of Windows, distribute it as a recommended update for older Microsoft desktop operating systems and stop the distribution of Microsoft's Virtual Machine (as its licensing time, agreed in the prior lawsuit, had expired). [26] Microsoft paid $700 million for pending antitrust issues, another $900 million for patent issues and a $350 million royalty fee to use Sun's software in the future. [28] [ non-primary source needed ]

Security

There were two applet types with very different security models: signed applets and unsigned applets. [29] Starting with Java SE 7 Update 21 (April 2013) applets and Web-Start Apps are encouraged to be signed with a trusted certificate, and warning messages appear when running unsigned applets. [30] Further, starting with Java 7 Update 51 unsigned applets were blocked by default; they could be run by creating an exception in the Java Control Panel. [31]

Unsigned

Limits on unsigned applets were understood as "draconian": they have no access to the local filesystem and web access limited to the applet download site; there are also many other important restrictions. For instance, they cannot access all system properties, use their own class loader, call native code, execute external commands on a local system or redefine classes belonging to core packages included as part of a Java release. While they can run in a standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as an access controller checks the entire stack of the calling code to be sure the call is not coming from an improper location.

As with any complex system, many security problems have been discovered and fixed since Java was first released. Some of these (like the Calendar serialization security bug) persisted for many years with nobody being aware. Others have been discovered in use by malware in the wild.[ citation needed ]

Some studies mention applets crashing the browser or overusing CPU resources but these are classified as nuisances and not as true security flaws. However, unsigned applets may be involved in combined attacks that exploit a combination of multiple severe configuration errors in other parts of the system. An unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DoS attacks on the server where it is hosted, but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain.

The unsigned applet can also try to download malware hosted on originating server. However it could only store such file into a temporary folder (as it is transient data) and has no means to complete the attack by executing it. There were attempts to use applets for spreading Phoenix and Siberia exploits this way,[ citation needed ] but these exploits do not use Java internally and were also distributed in several other ways.

Signed

A signed applet [32] contains a signature that the browser should verify through a remotely running, independent certificate authority server. Producing this signature involves specialized tools and interaction with the authority server maintainers. Once the signature is verified, and the user of the current machine also approves, a signed applet can get more rights, becoming equivalent to an ordinary standalone program. The rationale is that the author of the applet is now known and will be responsible for any deliberate damage.[ vague ] This approach allows applets to be used for many tasks that are otherwise not possible by client-side scripting. However, this approach requires more responsibility from the user, deciding whom he or she trusts. The related concerns include a non-responsive authority server, wrong evaluation of the signer identity when issuing certificates, and known applet publishers still doing something that the user would not approve of. Hence signed applets that appeared from Java 1.1 may actually have more security concerns.

Self-signed

Self-signed applets, which are applets signed by the developer themselves, may potentially pose a security risk; java plugins provide a warning when requesting authorization for a self-signed applet, as the function and safety of the applet is guaranteed only by the developer itself, and has not been independently confirmed. Such self-signed certificates are usually only used during development prior to release where third-party confirmation of security is unimportant, but most applet developers will seek third-party signing to ensure that users trust the applet's safety.

Java security problems are not fundamentally different from similar problems of any client-side scripting platform [33] [ citation needed ]. In particular, all issues related to signed applets also apply to Microsoft ActiveX components.

As of 2014, self-signed and unsigned applets are no longer accepted by the commonly available Java plugins or Java Web Start. Consequently, developers who wish to deploy Java applets have no alternative but to acquire trusted certificates from commercial sources.

Alternatives

Alternative technologies exist (for example, WebAssembly [34] and JavaScript) that satisfy all or more of the scope of what was possible with an applet. JavaScript could coexist with applets in the same page, assist in launching applets (for instance, in a separate frame or providing platform workarounds) and later be called from the applet code. As JavaScript gained in features and performance, the support for and use of applets declined, until their eventual removal.

See also

Related Research Articles

In computing, an applet is any small application that performs one specific task that runs within the scope of a dedicated widget engine or a larger program, often as a plug-in. The term is frequently used to refer to a Java applet, a program written in the Java programming language that is designed to be placed on a web page. Applets are typical examples of transient and auxiliary applications that do not monopolize the user's attention. Applets are not full-featured application programs, and are intended to be easily accessible.

<span class="mw-page-title-main">Java (programming language)</span> Object-oriented programming language

Java is a high-level, class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language intended to let programmers write once, run anywhere (WORA), meaning that compiled Java code can run on all platforms that support Java without the need to recompile. Java applications are typically compiled to bytecode that can run on any Java virtual machine (JVM) regardless of the underlying computer architecture. The syntax of Java is similar to C and C++, but has fewer low-level facilities than either of them. The Java runtime provides dynamic capabilities that are typically not available in traditional compiled languages.

<span class="mw-page-title-main">Java virtual machine</span> Virtual machine that runs Java programs

A Java virtual machine (JVM) is a virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. The JVM is detailed by a specification that formally describes what is required in a JVM implementation. Having a specification ensures interoperability of Java programs across different implementations so that program authors using the Java Development Kit (JDK) need not worry about idiosyncrasies of the underlying hardware platform.

<span class="mw-page-title-main">Plug-in (computing)</span> Software component that adds a specific feature to an existing software application

In computing, a plug-in is a software component that adds a specific feature to an existing computer program. When a program supports plug-ins, it enables customization.

In computing, cross-platform software is computer software that is designed to work in several computing platforms. Some cross-platform software requires a separate build for each platform, but some can be directly run on any platform without special preparation, being written in an interpreted language or compiled to portable bytecode for which the interpreters or run-time packages are common or standard components of all supported platforms.

<span class="mw-page-title-main">ActiveX</span> Software framework by Microsoft introduced in 1996

ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web. Microsoft introduced ActiveX in 1996. In principle, ActiveX is not dependent on Microsoft Windows operating systems, but in practice, most ActiveX controls only run on Windows. Most also require the client to be running on an x86-based computer because ActiveX controls contain compiled code.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

A Rich Internet Application is a web application that has many of the characteristics of desktop application software. The concept is closely related to a single-page application, and may allow the user interactive features such as drag and drop, background menu, WYSIWYG editing, etc. The concept was first introduced in 2002 by Macromedia to describe Macromedia Flash MX product. Throughout the 2000s, the term was generalized to describe browser-based applications developed with other competing browser plugin technologies including Java applets, Microsoft Silverlight.

Netscape Plugin Application Programming Interface (NPAPI) is a deprecated application programming interface (API) for web browser plugins, initially developed for Netscape Navigator 2.0 in 1995 and subsequently adopted by other browsers.

In computing, Java Web Start is a deprecated framework developed by Sun Microsystems that allows users to start application software for the Java Platform directly from the Internet using a web browser. The technology enables seamless version updating for globally distributed applications and greater control of memory allocation to the Java virtual machine.

The Java Media Framework (JMF) is a Java library that enables audio, video and other time-based media to be added to Java applications and applets. This optional package, which can capture, play, stream, and transcode multiple media formats, extends the Java Platform, Standard Edition and allows development of cross-platform multimedia applications.

Comet is a web application model in which a long-held HTTPS request allows a web server to push data to a browser, without the browser explicitly requesting it. Comet is an umbrella term, encompassing multiple techniques for achieving this interaction. All these methods rely on features included by default in browsers, such as JavaScript, rather than on non-default plugins. The Comet approach differs from the original model of the web, in which a browser requests a complete web page at a time.

<span class="mw-page-title-main">Java (software platform)</span> Set of computer software and specifications

Java is a set of computer software and specifications that provides a software platform for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers. Java applets, which are less common than standalone Java applications, were commonly run in secure, sandboxed environments to provide many features of native applications through being embedded in HTML pages.

<span class="mw-page-title-main">Google Web Toolkit</span> Free Java library

Google Web Toolkit, or GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications in Java. It is licensed under Apache License 2.0.

Oracle Secure Global Desktop (SGD) software provides secure access to both published applications and published desktops running on Microsoft Windows, Unix, mainframe and IBM i systems via a variety of clients ranging from fat PCs to thin clients such as Sun Rays.

IcedTea is a build and integration project for OpenJDK launched by Red Hat in June 2007. IcedTea also includes some addon libraries: IcedTea-Web is a free software implementation of Java Web Start and the Java web browser applet plugin. IcedTea-Sound is a collection of plugins for the Java sound subsystem, including the PulseAudio provider which used to be included with IcedTea. The Free Software Foundation recommends that all Java programmers use IcedTea as their development environment.

The Java Development Kit (JDK) is a distribution of Java technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the Java virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for Java programmers.

An Internet operating system, or Internet OS, is any type of operating system designed to run all of its applications and services through an Internet client, generally a web browser. The advantages of such an OS would be that it would run on a thin client, allowing cheaper, more easily manageable computer systems; it would require all applications to be designed on cross-platform, open standards; and would not tie a user's applications, documents, and preferences to a single computer, but rather place them in the Internet cloud. The Internet OS has also been promoted as the perfect type of platform for software as a service.

Ignition is an Integrated Software Platform for SCADA systems released by Inductive Automation in January 2010. It is based on a SQL Database-centric architecture. Ignition features cross-platform, web-based deployment through Java Web Start technology. The Ignition platform has three main components: the Ignition Gateway, the Designer, and the runtime clients. Independent modules provide separate functionality in any or all of the platform components. Ignition SCADA modules provide features such as: Real-Time Status Control, Alarming, Reporting, Data Acquisition, Scripting, Scheduling, MES, and Mobile support.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

References

  1. "The home site of the 3D protein viewer (Openastexviewer) under LGPL". Archived from the original on 1 August 2009. Retrieved 21 September 2009.
  2. "Generation of an action potential in cardiac cells using interactive java applet. Excitable media. movies excitable media Fitzhug nagumo beeler reuter luo rudy model mathematical cell modeling". Thevirtualheart.org. Retrieved 22 March 2022.
  3. "The home site of the Mandelbrot set applet under GPL". Archived from the original on 8 May 2013. Retrieved 29 July 2013.
  4. "The home site of the chess applet under BSD". Archived from the original on 7 September 2009.
  5. "Next Generation in Applet Java Plug-in Technology". Archived from the original on 4 April 2009. Retrieved 25 September 2009.
  6. "appletviewer — Java SE 8". Oracle. Retrieved 5 December 2023.
  7. "Java 9 Release Notes". Oracle.com.
  8. "JEP 289: Deprecate the Applet API". Openjdk.java.net. Retrieved 22 March 2022.
  9. "JPG blog: Moving to a Plugin-Free Web". Blogs.oracle.com.
  10. "JPG blog: Further Updates to 'Moving to a Plugin-Free Web'". Blogs.oracle.com.
  11. "Java Client Roadmap Update" (PDF). Oracle.com. Retrieved 22 March 2022.
  12. "FPC JVM – Free Pascal wiki". Wiki.freepascal.org. Retrieved 22 March 2022.
  13. "canvas – HTML". Mozilla Developer Network. Retrieved 15 August 2015.
  14. "WebGL – Web API Interfaces". Mozilla Developer Network. Retrieved 15 August 2015.
  15. "Design Elements – Chrome V8" . Retrieved 15 August 2015.
  16. McGraw, Gary; Felten, Edward (1999). "What Untrusted Java Code Can't Do". Securingjava.com. Retrieved 26 December 2021.
  17. Srinivas, Raghavan N. (6 July 2001). "Java Web Start to the rescue". JavaWorld . Retrieved 13 July 2020.
  18. "Objects, Images, and Applets in HTML documents". W3.org. Retrieved 22 March 2022.
  19. "Objects, Images, and Applets in HTML documents". W3.org. Retrieved 22 March 2022.
  20. "Java Downloads for All Operating Systems". Java.com. 14 August 2012. Retrieved 14 June 2013.
  21. "Sun's position on applet and object tags". Archived from the original on 9 June 2010. Retrieved 14 January 2010.
  22. "Oracle deprecates the Java browser plugin, prepares for its demise". Ars Technica. 28 January 2016. Retrieved 15 April 2016.
  23. Oracle official overview on Java applet technology
  24. "How do I get Java for Mobile device?". Java.com. 30 July 2014.
  25. 1 2 Zukowski, John (1 October 1997). "What does Sun's lawsuit against Microsoft mean for Java developers?". JavaWorld . Retrieved 13 July 2020.
  26. 1 2 "Sun's page, devoted for the lawsuits against Microsoft". Archived from the original on 19 August 2009.
  27. Kenai.com (2011) Archived 23 August 2011 at the Wayback Machine Most common problems, found in the code of the reviewed applets.
  28. "Microsoft and Sun Microsystems Enter Broad Cooperation Agreement; Settle Outstanding Litigation: Ten Year Agreement Sets New Framework for Industry Cooperation; Reduces Cost and Complexity for Customers". Microsoft. 25 February 2010. Archived from the original on 25 February 2010. Retrieved 22 March 2022.
  29. "What Applets Can and Cannot Do (The Java™ Tutorials > Deployment > Java Applets)". Docs.oracle.com. Retrieved 22 March 2022.
  30. "Java Applet & Web Start – Code Signing". Oracle. Retrieved 28 February 2014.
  31. "What should I do when I see a security prompt from Java?". Oracle. Retrieved 28 February 2014.
  32. "Java Applet Security | Java 2 Platform Security | InformIT". Informit.com. Retrieved 22 March 2022.
  33. "To be fair, significantly more World Wide Web users use the Netscape product than use the Microsoft product today, though the gap appears to be closing". Wiley.com. Retrieved 17 March 2017.
  34. "Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems". Theregister.com. Retrieved 6 October 2020.