Skip to main content

Are Applets Back?

Posted by gsporar on March 9, 2008 at 5:08 PM PDT

As I described
back in December, Sun ordinarily sponsors the annual holiday party
of the Austin Java Users Group (AJUG).
This is something that Albert Leigh and
I help coordinate. When the opportunity to sponsor an additional AJUG meeting in
February became available, we jumped at the chance to bring Ken Russell to town.
This blog entry is my belated report on the end result. Special thanks to Samuel Terry
of Sun's Field Marketing office for providing the funding and to Aaron Houston for the
swag that we used as prizes.

Ken is the architect of the next-generation Java Plug-in
and the
project lead for JOGL, the Java binding to
OpenGL.

Ken started his presentation with a couple of quotes, one from
Ben Galbraith and another from the
Java Posse, both of which
can be summed up as: "Applets really suck." He then talked about the many reasons
why, with a focus on problems in the Java browser plug-in.

In Ken's view, the newly rewritten Java browser plug-in changes everything. The
problems with browsers hanging and crashing are gone. In addition, the deployment
model for applets will be the same as for Web Start and
the integration with JavaScript
has improved. More details are in Ken's presentation slides, but just reading through
them will not provide you with Ken's enthusiasm or the cool demos that he did.

The new browser plug-in is part of JDK 6 Update 10,
which has also been referred to
as the "Consumer JRE." It is also known as JDK 6 Update N, because originally they
were not sure what update number to assign to it.

It all seemed to strike a chord with the audience - there were many questions.
Rob Ratcliffe, one of the AJUG board members, wrote this in his recap email:

Ken gave a great talk on
the new capabilities of the redesigned Java Plug-in. I'm excited that
there may be a rebirth of embedded rich swing-based applications over
the slightly unwieldy mix of DHTML, Javascript, Ajax, etc.. (Although,
it appears that applets and Javascript will play well together in the
new plug-in.)

Comments

All we're doing is applying the existing applet security model in the context of JNLP. Applets can pull code from multiple web servers. Each piece of code is granted the permission to connect back to the host from which it came. This has been true for years. If you have multiple pieces of untrusted code from different origins on the stack, according to the Java 2 Security Model, the intersection of their permissions is the empty set and they don't receive permission to explicitly open for example a socket connection to any server.

Definitely a big step forward. The next big step missing from both applets and Webstart is improving handling of signed and unsigned applications. I still find that the vast majority of applications in the wild request unlimited permissions for tasks that really shouldn't require it. Can this be improved?

Interesting that you should point out that applets have new life with the latest plug-in. Personally, I'm a believer...but I think the battle is uphill from here. The perceptions that applets are difficult, slow, unresponsive, too heavy, etc, etc are still alive and well -- despite the reality.

In a recent blog, I point out just such a perception problem that I recently faced. Thanks for getting the word out on another great reason to keep working with Java applets.

One improvement we're in the process of making is removing artificial restrictions in the JNLP spec that limit what unsigned applications can do -- for example, pull in extensions from other web servers. These improvements have already been made in the Java Plug-In. Hopefully this should reduce the need to sign at least some applications and applets.

In terms of finer-grained requesting of security privileges, this is a known area that needs work. I believe there are already RFEs against the JNLP spec to expand the "security" tag. Note that with the JNLP services an unsigned application can get finer-grained access to individual files, persistence, etc. With the new JNLP support in the Java Plug-In (present in 6u10 build 13, documentation coming soon) applets can access JNLP services as well.

One improvement we're in the process of making is removing artificial restrictions in the JNLP spec that limit what unsigned applications can do -- for example, pull in extensions from other web servers. These improvements have already been made in the Java Plug-In.

Whoa! Are you saying that an applet can connect to other hosts without permission? Bad, real bad.

Please let's hear more about this.