Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Java Oracle Security IT

Oracle To Drop Java Browser Plugin In JDK 9 (softpedia.com) 165

An anonymous reader writes: After Mozilla said in October that it would stop supporting Firefox plugins on the older NPAPI technology, Oracle had no choice now but to announce the deprecation of the Java browser plugin starting with the release of the JDK version 9, which is set for release in March 2017, and developers are urged to start using the Java Web Start pluginless technology instead. Security issues also had a big part in Java's demise.
This discussion has been archived. No new comments can be posted.

Oracle To Drop Java Browser Plugin In JDK 9

Comments Filter:
  • by Anonymous Coward

    The plugin is in demise. Java is going strong. FUD.

    • I'm old enough to remember when Java was supposed to be "write once, run everywhere", and all that downloadable code was supposed to be sandboxed so the security hassles were fixed. Maybe I'm a little fuzzy here, but all that was supposed to arrive on a pony [c2.com].
      • by Anonymous Brave Guy ( 457657 ) on Thursday January 28, 2016 @10:54AM (#51387963)

        The thing is, Java applets actually were write once, run anywhere in terms of browser portability, at least until the powers that be started making it difficult to run applets in a browser at all. The same was true of Flash.

        In contrast, newer technologies that are supposed to provide functionality that plugins were good for, like HTML5 media elements and canvas/SVG/WebGL, have wildly different levels of feature support, implementation quality, and performance across browsers. I understand the reasons browser makers want to drop plugin support, but the alternative browser-native technologies still have a long way to go.

        • by AmiMoJo ( 196126 )

          Java applets were written once and then failed to run for most people because they didn't have the plug-in, couldn't install it, couldn't update it, had Java disabled etc.

          We should all be pushing for web apps to be Javascript and HTML. Forget even stuff like canvas and WebGL. We want apps that are function and display useful data in a readable manner, not flashy stuff, right?

          • We should all be pushing for web apps to be Javascript and HTML. Forget even stuff like canvas and WebGL. We want apps that are function and display useful data in a readable manner, not flashy stuff, right?

            I agree up to a point. Functionality is more important than presentation, and certainly we want readable and usable over flashy. That said, there is definitely a place for well-designed visualisations and custom interactions in GUIs, not to be flashy but because they are more efficient and less error-prone. Implementing that functionality in a web context does need some capable tool, whether it's Java, Flash, a D3-backed SVG, or something else entirely.

      • Re: (Score:2, Insightful)

        by Lisandro ( 799651 )

        Been stating this for a long time now. I've had (way) less issues writing portable code in Python and Perl than i did in Java.

        • How do you write your user interfaces in Python? And in Java? Does Python3 run your Python2 code?
          • How do you write your user interfaces in Python?

            Pick your favorite UI toolkit and use its Python bindings. PyGUI [canterbury.ac.nz] is super lightweight and it will render native widgets on Windows, Mac and *nix (GTK+ 2)

            Does Python3 run your Python2 code?

            For the most part, yes, but it is not necessary; Python 2.x is still widely used so most setups have both Python 2.x and 3.x installed. In fact, i'd argue that version management is easier on Linux scripts than it ever was on Java.

      • Taking that a step further, IIRC, the ability to run a Java applet directly from within a browser was one of the original primary selling points of Java. In fact, I think it was originally promoted as an applet language that you can write full-fledged programs in, rather than as a full-fledged programming language that you can (could) write applets in.

        Of course, times change. If the flying car ever becomes a big success, I predict that its primary selling point will eventually become that it can drive on r

        • If the flying car ever becomes a big success, I predict that its primary selling point will eventually become that it can drive on roads, and its flying capability will be deprecated.

          Watch how the drone fracas unfolds. TPTB may not be on about letting everyone have a flying machine [wikipedia.org].

      • I'm old enough to remember when Java was supposed to be "write once, run everywhere"

        you don't have to old to look at the millions of android devices running write once run anywhere apps written in java.

        • I don't see too many programs for android that require a Java runtime.
          • OP said "Java".

            Java: a programming language
            JVM: an implementation of a virtual machine that executes byte code.

            regardless, does it make a difference? android code is byte code compiled from java source code. the paradigm is the same.

  • We have way to many systems dependent on it. Most of our big applications are JSP based, but we have quite a few java applications browser and even desktop based.
    • The malware authors will surely love your organizationi for keeping the web plugin around for them to exploit. Now they won't even have to worry about security bugs being patched.

      • by Anonymous Brave Guy ( 457657 ) on Thursday January 28, 2016 @11:03AM (#51388009)

        Your fear-mongering is several years of out date. Java applets have had multiple levels of click-to-play style protection for a long time. Malware authors are having much more success targeting things like Android users these days.

        • Your fear-mongering is several years of out date. Java applets have had multiple levels of click-to-play style protection for a long time. Malware authors are having much more success targeting things like Android users these days.

          Yeah and the click-to-play has been bypassed multiple times.

          • Not to mention that most office workers will reflexively click through each and every click-to-play popup.
          • [citation needed]

            I'm not saying it doesn't exist, but so far I haven't seen any report of malware that can successfully bypass the click-to-play limitations in both the browser and Java itself. There have been some ingenious attacks on parts of the infrastructure, such as the Pawn Storm issue a few months back, but as far as I'm aware even those required the browser itself to have Java enabled and only compromised the Java plugin's security architecture.

            As an aside, if such malware did exist, it would self-

    • We have way to many systems dependent on it. Most of our big applications are JSP based, but we have quite a few java applications browser and even desktop based.

      There are just so many systems out there that depend on Java, many of which are embedded in hardware. This was a bit short sighted of the hardware vendors.

    • JSP - No change
      Desktop - No change
      Browser - Easy fix

      If you really have applet still in use today, you can convert them to Web Start without touching the binary. All you need to do is update your web page and make a jnlp file that points to where the applet is and any configuration that was originally on the web page itself.

      There aren't many problems,here are the edge cases I can see:
      1. Packaged sites - You want to support your applet with ads (who does this with Java anymore?)
      2. Javascript interop.
      3. Cross

      • by gmack ( 197796 )

        And how do I update the web page on our IP KVM switch?

        • Assuming that the java applet is the only thing you are interested in (as in it is not heavily integrated with the web page), you can use appletviewer. I don't think they will get rid of this as it is just a simple container for applets rather than interfacing with the browser. Took me an hour back in college to make one of those myself.

          I think you can also put the jsp file that runs the applet on another server as long as it is on the same domain as your switch.

    • by adler187 ( 448837 ) on Thursday January 28, 2016 @03:32PM (#51390713) Journal
      Headline is wrong (where am I? Oh, right Slashdot) and the summary is not fully correct. Here's what the blog post actually says:

      "Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release."

      So you have until JRE 10 at the earliest when it's removed. JRE 9 isn't scheduled to come out until 2017 and JRE 10 sometime after that, so the more pressing problem will be finding a browser that supports NPAPI plugins to even run the current plugin: Chrome has already removed NPAPI support in Chrome 45, Firefox will be removing it by the end of 2016, Edge never had NPAPI support, and I have no idea about Apple's plans with Safari (my guess would be remove support in next release of OS X).

      Gonna have to keep around an old version of Firefox or Chrome (portable version, perhaps?) to be able to use legacy applet based applications.
  • by Anonymous Coward

    I uninstalled Java for a year or two, but was forced to reinstall it when working on my CCNA. It is amazing how horrible Cisco's software is.

    • by Junta ( 36770 )

      It is amazing how horrible enterprise software is.

      Fixed that for you. I'm eternally amazed how terrible all the 'enterprise' software vendors do at making software, Cisco included.

  • Java's 'demise'? I think that's a bit of an exaggeration [sitepoint.com].
    • Yes, the browser plugin's demise. Or are you incapable of understanding the context of that phrase?

      • I'm always surprised by the number of people who don't know the difference, and think that because they interact at work occasionally with some crappy Java applet written in the early 2000s or late 1990s, that all enterprise Java (or even most of it) is entirely in the form of Java applets.

  • But,but,but ... Java runs in a sandbox and can't possibly be a security risk. I know that because experts told me so in the 1990s and experts are NEVER wrong.

    • by robmv ( 855035 )

      But but browser insecurity is because of plugins (Mozilla security bugs [mozilla.org]). I know that because browser vendors told me so in the 2000s and experts are NEVER wrong. :P

      Note: bugs aren't the only problem here, it is your update process, and Oracle Java has an awful one, add to that that people do not update. OpenJDK does not suffer of this bad update process because distributions use their package manager to push updates.

      • Even with timely updates, the browser plugin was just a security hole whack-a-mole game. Only Flash Player managed to be a more bug-ridden piece of shit.

      • by cruff ( 171569 )

        OpenJDK does not suffer of this bad update process because distributions use their package manager to push updates.

        That assumes one allows unattended updating or a strict adherence to checking and installing the updates manually, or not being allowed to install updates because it can only be an approved configuration and the configuration change board never meets...

        • by robmv ( 855035 )

          true, but is is better that a fracking systray icon, for a normal user is just a system update

          • The worst thing, IMHO, is not just that it was a systray icon, but that at some point the updater would attempt to run immediately! I'd start doing something, and UAC pops up with a "Are you sure you want to run this?" My instinct is "WHAT IS THIS MALWARE?!?" and to click "Hell no"

      • Java had its share of bugs leading to zero-day attacks - language implementation bugs, not the browser. This one [mitre.org] made a lot of noise a couple years ago [dontneedcoffee.com].

      • by AmiMoJo ( 196126 )

        This is why all major browsers are abandoning Netscape plug-ins (or ActiveX in the case of MS Edge). Google's NaCl seems to be the best replacement. It runs bytecode plugins at near native speed, fully sandboxed.

        Having said that, Javascript PDF viewers are more than adequate and the only other thing is Flash... So do we need binary plug-ins at all?

  • "Java's demise" (Score:2, Insightful)

    by Anonymous Coward

    Hardly, unless you are talking about browser plugin technology. It was never big there to begin with, but Java is still a major player in server side technology.

    • Hardly, unless you are talking about browser plugin technology.

      The browser plugin has needed to die for 20 years, so I'm glad to see it finally happen.

      The submitted appears to now know the difference between the Java browser plugin and the Java language. The former is dying (it's about time), while the latter is thriving.

  • Almost every bank in Brazil uses java plugin for security login. Every single .gov.br site that has any remote type of login uses it too. So in one hand, they will have to adapt. Most banks will. FINALLY. OTOH there is no way in hell that the [brazilian] government will adapt in less then.. 5 year I guess. So, from some point forward in the future, I will have to support clients using Internet Explorer.
  • This isn't surprising if you've been following Chrome. By some metrics it's the most used browser now, and they dropped support for NPAPI plugins (like Java) due to security concerns. Oracle's official reply to this has been "use Firefox" which in my opinion was incredibly short sighted, unless they feel Java just won't work using PPAPI. Who on earth is going to use a plugin in their website that doesn't support one of the biggest browsers? That person would have to build a fallback for Chrome, and at that

    • by mrops ( 927562 )

      As a java developer, working on java from JDK 1.0,

      This is a long time coming, Java is now mostly used on large server side projects. Its driving the Big Data revolution with technologies like Apache Spark. Running countless servers on Tomcat and/or Spring containers.

      Oracle is not wrong in discontinuing the browser plugin. They should have done it with JDK 5

      • by Junta ( 36770 )

        Its driving the Big Data revolution

        I think I just threw up in my mouth a little. Not to disparage the technical benefit of the technology, but that phrasing just makes me cringe about anything.

      • Java is now mostly used on large server side projects.

        ever heard of Android?

        • Java is now mostly used on large server side projects.

          ever heard of Android?

          Since when does Android run Java byte code? Oh, it doesn't.

          • so quick to be a smart ass. check your work next time.

            Java is now mostly used on large server side projects

            it doesn't say java byte code does it? it says java, as in the language.

            • Here is the quote and your reply:

              Java is now mostly used on large server side projects.

              ever heard of Android?

              Java does not, and never has, run on android.

              • Sigh. You are right, Android doesn't run The JVM. But that's not what the OP said is it?

                Java is a language that is compiled into various forms. One is dalvik, and now ART byte code that's run on Android. Also, you can take Java byte code compiled libraries and run them on Android if you want to quibble.

                So, right, Android doesn't run Java, it just runs apps written in Java and libraries compiled to Java Byte Code. Good thing we cleared that up.

                • Java byte code does NOT run on android. That's not a quibble, just an inconvenient fact.
                  • Here you go,

                    {quote}
                    Dalvik programs are written in Java using the Android application programming interface (API), compiled to Java bytecode, and converted to Dalvik instructions as necessary.
                    {quote}
                    https://en.wikipedia.org/wiki/... [wikipedia.org]

                    You done now? If you are going to say "Ah HA! It doesn't actually run Java byte code, it converts the byte code to Dalvik instructions!"- well, that's the definition of a quibble. It's an implementation detail of Dalvik that a developer doesn't need to care about. From their point

                    • Funny - my Android uses the Android RunTime - dalvik was dumped at the last upgrade. The very FIRST WORDS from your link: "Dalvik is a discontinued process virtual machine." It even says that as of Android 5.0, there is no more dalvik.

                    • ART is just a different runtime. it still allows java byte code. from the developer's perspective, it's no different.
                      regardless, what percentage of devices are running Dalvik. what percentage run ART? oh ... darn.

                    • Java byte code (.class files) is converted to the dex format during the compile process. Even dalvik never ran java code. Part of the build process is to convert the java class files to dex format, because dalvik cannot do java classes.

                      As you can see in this diagram [android.com], the .apk file only contains .dex files, resources (compiled and uncompiled), and the AndroidManifest.xml file. No .class files (which means no java byte code) to be seen. Not for Dalvik. not for Art.

                      And you can't just blindly write java sourc

  • by Anonymous Coward

    The announcement says that the plugin will be deprecated from java 9, and removed "in a future Java SE release".

  • by Z00L00K ( 682162 ) on Thursday January 28, 2016 @11:59AM (#51388473) Homepage

    Interestingly the dupe post promoting Softpedia got promoted over the post that directly linked the Oracle Blog post: http://slashdot.org/submission... [slashdot.org]

  • The one and only time I had a Windows machine infected was some malware that got installed without my knowledge via Java Web Start. I have never let that be on a computer of mine since. I've never had that happen via the Java plugin (which, BTW, I don't allow to run by default in FF and Chrome).

interlard - vt., to intersperse; diversify -- Webster's New World Dictionary Of The American Language

Working...