5

I have an (unsigned) applet that let you draw a logic circuit and test it on-screen (a bit like Electronics Workbench), and it then serializes the circuit (the internal form, not the visual representations) and sends it to the server where a bunch of automated tests are run and a performance report is produced. This is a small but crucial part of a much larger web app.

However, the latest Java plug-in now says this:

Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk.

Now, self-signing it will still apparently work (for now), but then the code runs OUTSIDE the sandbox, which strikes me as a stupid way to do things, even though my code is of course completely bug-free! (Can I interest you in buying a bridge?) Reading further on the Oracle website I see this:

The platform will not deny the execution of Java applications... Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications."

(Which sounds like it means "Future updates will deny the execution of Java applications" -- unless you pay money to Thwaite or Verisign on a regular basis AND expose users to code running outside a sandbox.)

They also say

"Even the smallest changes in user experience are sometimes troublesome".

(No kidding.)

"We have considered how changes affect user experience. Given the current climate around Java security in the browser, code signing is a valuable security control for protecting Java users."

Well, I don't see how I can continue using Java under these circumstances. The goalposts have been moved (again), and now I'm looking for a different football team... or more precisely, I'm looking for an alternative technology that will let me continue to do what I do now: drag & drop circuit elements, create connections by dragging between input and outputs or other connections, and finally take the internal form of the diagram and squirt it to the server in a form which can be decoded and exercised, preferably by exactly the same code that created the diagram to avoid versioning headaches. And something which is safe, which can't trash the local filesystem or whatever just because I've signed it.

Can anyone suggest where I should be looking next, now that Oracle has made my life a nightmare?

Jon Heller
  • 34,999
  • 6
  • 74
  • 132
user1636349
  • 458
  • 1
  • 4
  • 21
  • 1
    HTML5 or Flash technologies can replace java applet – Iłya Bursov Jan 11 '14 at 18:42
  • But can you run them server-side? I have e.g. classes to represent gates, counters, shift registers, and I use them both client-side and server-side so I get *exactly* the same behaviour on both systems. – user1636349 Jan 11 '14 at 18:44
  • *"But can you run them server-side?"* An applet does not run server side. It is purely client side. – Andrew Thompson Jan 11 '14 at 19:30
  • @AndrewThompson I guess he means that he's using some classes both on the client-side and on the server-side (not in an applet, of course) – watery Jan 11 '14 at 19:44
  • @AndrewThompson: Actually, the applet includes a main(), so I can run it client-side as an applet or server-side as an application. This means that I only have one code base to maintain. – user1636349 Jan 11 '14 at 20:23

3 Answers3

3

(Which sounds like it means "Future updates will deny the execution of Java applications" -- unless you pay money to Thwaite or Verisign on a regular basis AND expose users to code running outside a sandbox.)

A signed applet launched using JNLP can still be sand-boxed.

But if you really wish to avoid it..

I think what you described can be provided using JavaScript for the logic and and an HTML 5 canvas for the rendering.

I would avoid Flash, since it is also susceptible to security bugs. It would be like digging yourself a brand new hole to get trapped in.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
  • OK, I'll look into using JNLP. Haven't needed such fluff beforem but now... Meanwhile I presume paying money to Verisign is still a must? (Thwates seem to have pulled the free certification they used to offer.) As for HTML5/JS... it means using something like JSON to talk to the server and a brand-new server-side application that I have to keep in step with the (separate) client-side code... sigh. – user1636349 Jan 11 '14 at 20:06
  • *"..paying money to Verisign is still a must?"* No. I don't have the link handy, but there is one organization (coming out of Europe) from which it is possible to obtain a free certificate. Search the [tag:java-web-start] & [tag:jnlp] posts here and you might stumble across the details.. – Andrew Thompson Jan 12 '14 at 02:05
  • The only ones I found were StartSSL (www.startssl.com; Israel?) and CACert (www.cacert.org; Australia); various others seem to have had free offerings in the past but have since withdrawn them. Nothing from Europe AFAICS. I'm planning to have a look at the two I mentioned in the coming week and will try to report back. Apart from that everyone seems to want something on the order of $80 a year. – user1636349 Jan 12 '14 at 16:52
0

I can't comment on what you found about applets, since I never wrote one.

If you want to move away from them, maybe your only option (while staying with Java) is go for web applcations, where the code is most on server-side and you interact with your software directly in your browser. On the client-side javascript (and js-related libraries like JQuery) is used, though I can't elaborate about it more since I'm don't know the Java EE stack very well yet.
I'm not sure if you can get 100% the same user experience as you currently have in your applet, above all for an electronics application. But it may offer the highest code-reuse of most of your Java classes.

I've used Vaadin, it's a framework that moves almost all your coding to the server-side (you only need to code the client side if you want to create addons). I've heard about Zk too, but I've never used it, so I can't say anything about it.

watery
  • 5,026
  • 9
  • 52
  • 92
  • At the moment most of the work is done client-side, building and testing something until it's in a state where it can be submitted for more extensive automated testing on the server side. Vaadin looks a bit JQuery-ish at first glance (but I'll have a second glance later); if there's enough HTML5 graphics/drawing support there I might be able to do something with Ajax/JSON to get the server to provide the behaviour (redraw these elements on the rising edge of the simulated clock, blah blah). Thanks for the suggestion. – user1636349 Jan 11 '14 at 20:54
0

You can still run unsigned java applets in your web pages if you block your Java plugin in the browser to the version SE 7 U11 (jre-7u11-windows-i586.exe) Of course you will have to block automatic Java update with "C:\Program Files (x86)\Java\jre7\bin\javacpl.exe" I hop you can survive for a while this way, before you find an alternative to JAva applet. In HTML5 the tag to call an apllet is now object and the syntax is a bit different:

<object codetype="application/java" 
        classid="yourApplet.class"
        codebase="http://www.yourserver ..."
        archive="YourJarFile.jar"
        width="x" height="y">
        <param name="paramName1" value="paramValue1"/>
        <param name="paramNamei" value="paramValuei"/>
</object>
Mathias Zaja
  • 81
  • 1
  • 1