Contents - Cultural View
Share Embed Flag
Download ePaper

Contents - Cultural View

Contents - Cultural View Contents - Cultural View

culturalview.com
from culturalview.com More from this publisher
14.07.2013 Views

Java applet 36 • If a standalone program (like Google Earth) talks to a web server, that server normally needs to support all previous versions in case a user has not kept his or her client software up to date. In contrast, a properly configured browser loads (and caches) the latest applet version, so there is no need to support legacy versions. • The applet naturally supports the changing user state, such as figure positions on the chessboard. • Developers can develop and debug an applet direct simply by creating a main routine (either in the applet's class or in a separate class) and calling init() and start() on the applet, thus allowing for development in their favorite Java SE development environment. All one has to do after that is re-test the applet in the AppletViewer program or a web browser to ensure it conforms to security restrictions. • An untrusted applet has no access to the local machine and can only access the server it came from. This makes such an applet much safer to run than a standalone executable that it could replace. However, a signed applet can have full access to the machine it is running on if the user agrees. • Java applets are fast - and can even have similar performance to native installed software. Disadvantages A Java applet may have any of the following disadvantages: • It requires the Java plug-in. • Some organizations only allow software installed by the administrators. As a result, some users can only view applets that are important enough to justify contacting the administrator to request installation of the Java plug-in. • As with any client-side scripting, security restrictions may make it difficult or even impossible for an untrusted applet to achieve the desired goals. • Some applets require a specific JRE. This is discouraged. [25] • If an applet requires a newer JRE than available on the system, or a specific JRE, the user running it the first time will need to wait for the large JRE download to complete. • Java automatic installation or update may fail if a proxy server is used to access the web. This makes applets with specific requirements impossible to run unless Java is manually updated. The Java automatic updater that is part of a Java installation also may be complex to configure if it must work through a proxy. • Unlike the older applet tag, the object tag needs workarounds to write a cross-browser HTML document. Compatibility related lawsuits Sun has made a considerable effort to ensure compatibility is maintained between Java versions as they evolve, enforcing Java portability by law if required. Oracle seems to be continuing the same strategy. The 1997 Sun - Microsoft lawsuit The 1997 lawsuit [26] was filed after Microsoft modified its own Java Virtual Machine which shipped with Internet Explorer. Microsoft added about 50 methods and 50 fields [26] into the classes within the java.awt, java.lang, and java.io packages. Other modifications included removal of RMI capability and replacement of Java native interface from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and for a limited time. [27]

Java applet 37 The 2002 Sun - Microsoft lawsuit Microsoft continued to ship its own unmodified Java virtual machine. Over years it has become extremely outdated yet still default for Internet Explorer. In 2002 Sun filed an antitrust lawsuit, claiming that Microsoft's attempts at illegal monopolization have harmed the Java platform. Sun demanded Microsoft distribute Sun's current, binary implementation of Java technology as part of Windows, distribute it as a recommended update for older Microsoft desktop operating systems and stop the distribution of Microsoft's Virtual Machine (as its licensing time, agreed in the previous lawsuit, had expired). [27] Microsoft paid $700 million for pending antitrust issues, another $900 million [28] [29] for patent issues and a $350 million royalty fee to use Sun's software in the future. The 2010 Oracle - Google lawsuit Google has developed their own Android platform that uses Java features and concepts yet is not compatible with standard libraries. This has been a violation of conditions under that Sun granted OpenJDK patents to use open source Java for all [30] . 2010 Oracle sued Google [31] for using Java "in a wrong way", claiming that "Google’s Android competes with Oracle America’s Java" and that "Google has been aware of Sun’s patent portfolio .. since Google hired certain former Sun Java engineers". Oracle currently seems claiming as much as to stop the further Android development, trying to replace it by standard Java version [32] . This lawsuit is currently ongoing. Applet security There are two applet types with very different security models: signed applets and unsigned applets. [33] Unsigned applet Limitations for the unsigned applets are understood as "draconian": [34] they have no access to the local filesystem and web access limited to the applet download site; there are also many other important restrictions. For instance, they cannot access system properties, use their own class loader, call native code, execute external commands on a local system or redefine classes belonging to certain packages. While they can run in a standalone frame, such frame contains a header, indicating that this is an untrusted applet. Successful initial call of the forbidden method does not automatically create a security hole as an access controller checks the entire stack of the calling code to be sure the call is not coming from an improper location. Several specific security problems have been discovered and fixed since Java was first released, and some, like the Calendar serialization security bug [35] , even persisted as late as 2008 without anybody being aware. Some studies mention applets crashing the browser or overusing CPU resources but these are classified as nuisances [36] and not as true security flaws. However, unsigned applets may be involved in combined attacks that exploit a combination of multiple severe configuration errors in other parts of the system. [37] An unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DOS attack on the server where it is hosted but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain. [38] [39] . [36] [40] As of 1999 no real security breaches involving unsigned applets have ever been publicly reported. Signed applet A signed applet [41] contains a signature that the browser should verify through a remotely running, independent certificate authority server. Producing this signature involves specialized tools and interaction with the authority server maintainers. Once the signature is verified, and the user of the current machine also approves, a signed applet can get more rights, becoming equivalent to an ordinary standalone program. The rationale is that the author of the applet is now known and will be responsible for any deliberate damage. This approach allows applets to be used for

Java applet 36<br />

• If a standalone program (like Google Earth) talks to a web server, that server normally needs to support all<br />

previous versions in case a user has not kept his or her client software up to date. In contrast, a properly<br />

configured browser loads (and caches) the latest applet version, so there is no need to support legacy versions.<br />

• The applet naturally supports the changing user state, such as figure positions on the chessboard.<br />

• Developers can develop and debug an applet direct simply by creating a main routine (either in the applet's class<br />

or in a separate class) and calling init() and start() on the applet, thus allowing for development in their favorite<br />

Java SE development environment. All one has to do after that is re-test the applet in the Applet<strong>View</strong>er program<br />

or a web browser to ensure it conforms to security restrictions.<br />

• An untrusted applet has no access to the local machine and can only access the server it came from. This makes<br />

such an applet much safer to run than a standalone executable that it could replace. However, a signed applet can<br />

have full access to the machine it is running on if the user agrees.<br />

• Java applets are fast - and can even have similar performance to native installed software.<br />

Disadvantages<br />

A Java applet may have any of the following disadvantages:<br />

• It requires the Java plug-in.<br />

• Some organizations only allow software installed by the administrators. As a result, some users can only view<br />

applets that are important enough to justify contacting the administrator to request installation of the Java plug-in.<br />

• As with any client-side scripting, security restrictions may make it difficult or even impossible for an untrusted<br />

applet to achieve the desired goals.<br />

• Some applets require a specific JRE. This is discouraged. [25]<br />

• If an applet requires a newer JRE than available on the system, or a specific JRE, the user running it the first time<br />

will need to wait for the large JRE download to complete.<br />

• Java automatic installation or update may fail if a proxy server is used to access the web. This makes applets with<br />

specific requirements impossible to run unless Java is manually updated. The Java automatic updater that is part<br />

of a Java installation also may be complex to configure if it must work through a proxy.<br />

• Unlike the older applet tag, the object tag needs workarounds to write a cross-browser HTML document.<br />

Compatibility related lawsuits<br />

Sun has made a considerable effort to ensure compatibility is maintained between Java versions as they evolve,<br />

enforcing Java portability by law if required. Oracle seems to be continuing the same strategy.<br />

The 1997 Sun - Microsoft lawsuit<br />

The 1997 lawsuit [26] was filed after Microsoft modified its own Java Virtual Machine which shipped with Internet<br />

Explorer. Microsoft added about 50 methods and 50 fields [26] into the classes within the java.awt, java.lang, and<br />

java.io packages. Other modifications included removal of RMI capability and replacement of Java native interface<br />

from JNI to RNI, a different standard. RMI was removed because it only easily supports Java to Java<br />

communications and competes with Microsoft DCOM technology. Applets that relied on these changes or just<br />

inadvertently used them worked only within Microsoft's Java system. Sun sued for breach of trademark, as the point<br />

of Java was that there should be no proprietary extensions and that code should work everywhere. Microsoft agreed<br />

to pay Sun $20 million, and Sun agreed to grant Microsoft limited license to use Java without modifications only and<br />

for a limited time. [27]

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!