5

Refer to New security requirements for RIAs in 7u51 (January 2014) .

RIAs must contain two things:

  1. Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.
  2. Manifest Attributes
    • Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.
    • Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code (e.g. intranet.example.com).

ref another post on stackoverflow, I have the same concern that certificate is expensive for intranet use.
Sign applet and deploy it in intranet.

I am planning to start a new intranet project, should I give up the consideration on applet?
All of my intranet user do not have the ability to connect outside internet, they are in closed network, I highly doubt the need of signed applet......?

Community
  • 1
  • 1
  • 6
    *"I am planning to start a new intranet project, should I give up the consideration on applet?"* Avoid applets if humanly possible. That is advice I've been giving for a long while, before the latest slew of security updates. – Andrew Thompson Oct 18 '13 at 02:10
  • @AndrewThompson: what about javafx? it's a nice technology and I think it runs pretty much the same way as applets. – Denis Tulskiy Oct 18 '13 at 04:31
  • 2
    *"what about javafx?"* What about it? To my eye, it already seems doomed. I thought it was taking a long time to migrate from *"Here's a GUI toolkit we are playing with - you like?"* to *"This in in the JSE - deal with it"*. When it came to Java 7 that includes(?) Java-FX, I was surprised that there was no reference to Java-FX classes in the JSE Java Docs. From that I expected to see it migrated to the Java-Docs in Java 8 at the latest.. But then, I recently read that Oracle was *planning* to incorporate in in Java 9. ..?!? Too little, too late, for most people's tastes. – Andrew Thompson Oct 18 '13 at 04:41
  • @DenisTulskiy JavaFX used like an applet is exposed as an applet, so it is really not an *alternative* for applet. (on using it, I tend to agree with [this post](http://stackoverflow.com/a/433191/365237) - but not with the using applet part :) – eis Oct 18 '13 at 04:48
  • Well probably take a look at WebStart... – keuleJ Oct 18 '13 at 06:22
  • 1
    @AndrewThompson IIRC, JavaFX (2) was included in the Oracle JRE but was not in OpenJDK. – Tom Hawtin - tackline Oct 21 '13 at 12:58
  • @TomHawtin-tackline Thanks for the info. I am leery of using any functionality that has a caveat like *" but was not in ..JDK"* though. It just does not seem cross-platform if it is not compatible across SDK/JREs. – Andrew Thompson Oct 21 '13 at 13:15
  • @AndrewThompson There are many fine libraries that are not in the JDK. – Tom Hawtin - tackline Oct 21 '13 at 13:35

4 Answers4

5

I am planning to start a new intranet project, should I give up the consideration on applet?

Well, yes. Applets haven't been a very good technology choice for a long time, even without Oracles latest changes. If you can do the same using other technologies, that's usually better.

Some reasons:

  • continuous stream of vulnerabilities (which is why it should really be disabled by default on browsers)
  • resource intensive
  • separate access from the web page (act close to plugins)
  • deployment isn't very straightforward
  • doesn't have the tooling some alternatives have

The most serious reason is the vulnerability issue, but others play a role as well.

All of my intranet user do not have the ability to connect outside internet, they are in closed network, I highly doubt the need of signed applet......?

It's mandatory in the latest versions of java plugin, so you cannot really help that.

See this discussion on what's needed if you would like to keep on going with the applet. If you don't do it, it will not work on the latest versions of java.

Community
  • 1
  • 1
eis
  • 51,991
  • 13
  • 150
  • 199
4

As a disclaimer, I am the author of the blog post that you linked to. Intranets are typically known communities where people have reasons to trust each other. If you do not want to purchase a code signing certificate, you can share your public certificate within the small network of trust. This works on an organizational scale but not so much internet-scale. Also for @TomHawtin above, OpenJFX is available.

Costlow
  • 575
  • 3
  • 9
3

I think another option if you want to stick with Applets would be the promised Exception Site List, which should be available in 1.7.0_51 as well, it still means that users need to adjust Java Applet Properties, but at least as far as I understand the post, it will make it possible to allow certain applets on the user machine.

centic
  • 15,565
  • 9
  • 68
  • 125
0

As centic mentioned Dec 6 '13 at 20:23, the Exception Site List is a per user override to allow applets to run. Oracle help has been updated with this article How can I configure the Exception Site List.

user3170456
  • 1