The Act We Act
Banishing the applet warning
The lowly Java applet is seemingly poised to make a comeback, thanks to the radically overhauled plug-in in Java SE 6 Update 10 and its many improvements (quick start, doesn't crash the browser, applets tear off and become Web Start apps, etc.), along with the growing interest in Rich Internet Applications. For some, that means it's 1996 all over again, as we go running to find our old copies of Laura Lemay's Teach Yourself Java in 21 Days and figure out the parameters for the
<applet> tag again... or wait, do I do an
<object> or an
<embed> or something now? Dang, it's been a while.
And of course, once you get your applet up and running, you come up against the security restrictions meant to protect against malicious applets. No filesystem access, no network access to any host other than the one the applet came from, etc. You can get around this by signing your applet, but then the user will have to explicitly grant access permissions, which typically means tech support gets calls from people who are terrified and confused by the security dialog. Someone somewhere sighs, and asks, "are you sure we can't just do this with DHTML and CSS?"
Josh Marinacci notes that the security back door has been opened just a little bit in 6u10, as he explains in Java Doodle: crossdomain.xml Support:
Signing is great when you need access to more than what is allowed inside the sandbox, but it has two problems: the user will receive an ugly warning dialog about the applet, and the applet will have full access to the user's computer. Full access is overkill when all you want to do is talk to a webservice on another server. Surely there is some middle ground between the sandbox and full access? Well now there is.
If the server hosting a webservice has special xml file on it then the applet plugin will allow connections to that server. This special file is called a crossdomain.xml file and it must be present on the exact subdomain hosting the webservice.
To show it off, Josh offers an applet hosted on his home server that pulls photos from Flickr. Full details of the needed XML, plus a graceful degredation strategy, are provided in the blog, which he says is "the first in a series I'm going to call Java Doodles, highlighting the new features in JavaSE 6 update 10, now in beta."
Hey, Josh, I thought you were already doing a "doodles" series with JavaFX? Oh well, same basic idea, right?
Also in today's Weblogs, Kirill