Interview with Ken Russel about the new Java plugin
Well, as I promised, in addition to my post habrahabr.ru/blogs/java/49989
A small interview with the man who made a great contribution to the development of a new plug-in from Sun
The fruits of this person’s work are used by every developer who writes on the Java platform, and his name is Ken Russell (http://research.sun.com/minds/2008-0811/)
Please note that the interview was conducted in early December, so some events may be said in the future, although they have already come.
Me: For developers the opportunity to specify additional parameters in the command line for the VM. Of course, this is a great functionality that was not enough, but if there are security measures controlling the developer’s actions? For example, is it worth it for me to worry about going to some site, will it hang my PC because it has 5 applets that allocate 512MB RAM each?
Ken Russell: We thought about creating additional constraints in the specification of command arguments, for example: the limit of the maximum memory size that all applets can request is the maximum amount of available virtual memory in the system. However, in the first release of the Java Plug-In, we decided not to impose artificial restrictions in order to avoid the restriction of developers in unexpected situations. I note that the Java Plug-In will try to group applets within the same JVM even if they request additional memory and use the "separate_jvm" parameter to isolate the applet inside its own JVM, then this JVM will be stopped when switching from the page. In general, if the applet does not complete "cleanly", then the plugin will "hard" stop the JVM in which it was executed. This means that if you hit a page that behaves abnormally (which can be completely independent of Java), you can simply close it and the Java Plugin and the system will be restored.
I: when is this restriction planned to be introduced? and how will it look? For example, can I, as a user, tell a plugin that I trust this applet and if he wants to allocate 2GB RAM then let him allocate, but if I just went to some page then the applets on it should not get more than N MB of RAM?
Ken Russell: At the moment we have not planned a date for the development of this restriction. At the moment we are focusing our efforts on other areas. If the data received from our customers indicate the need for this functionality, we will put a priority on it.
')
Me: Then the following: applets have the ability to save a small amount of data on the client PC, I have not found any integration into the browser caching mechanism, how can I delete this data? Will it be possible to clear this data when clearing the browser cache? Or should users know how to clean it themselves?
Ken Russell: The ability to save data is an innovation of Java SE 6 Update 10. Applets launched with JNLP support in the plugin can access PersistenceService like any Java Web Start application. I do not know what policies are there for this data - Java Web Start developers will be able to give an answer - but I think that if you clear the cache on the Java Control Panel, then this data should be deleted.
I: Well, but will the integration of this cleaning mechanism into the browser cleaning mechanism?
Ken Russell: there are no plans for this. The Java cache is specially separated from the browser cache in order to avoid dependence on the browser implementation of the caching mechanism.
Me: I mean, as in Flash, you can specify the size of the available storage directly on the Web page, or prohibit saving altogether.
Ken Russell: I know a little bit about Flash mechanisms. As far as I understand, Flash can save something around 100KB of data for each video, and if you need more, then you can ask Flash to show the user a request for allocating a larger amount. JNLP PersistenceService has a similar limitation, and if you want more, you can sign your applet to have direct access to the file system (provided that the user accepts your certificate).
Me: the plugin allows you to create new windows marked with an asterisk, considering that the plugin has been out for some time, what kind of feedback do you get, does it really warn the average user that this window is created by an applet and not by the browser? And yet: now it is possible to take out an applet from the browser, when this happens, the applet gets access to the local file system. Have you seen any malicious applets that asked to pull them out emulating windows usually displayed by the browser, or is it possible to create a window that will block the screen area in which the browser pop-up appears - a security warning?
Ken Russell: A new security alert developed in the Abstract Window Toolkit (AWT), not in the Java Plug-In. I didn’t closely follow its development, but the feedback from users is generally positive.
Ken Russell: The statement that the applet being removed from the browser accesses the file system is incorrect. Such an applet will continue to be executed inside the safe sandbox, unless of course it has a signature. We have not yet seen the malicious applets being pulled out. It makes no sense to block the browser security warning, because the user will have to confirm it all the time, and this cannot be done using java.awt.Robot or other means.
Me: Kokov Java's main priority at the moment: to be the most secure platform for the user or the most powerful development platform for developers? or both? If the goal is only one, why was it chosen?
Ken Russell: Both. With the new plugin, we have made applets in the browser as powerful as normal applications, we still save the java sandbox and security model. The purpose of rewriting the plug-in was to remove the artificial limitations of the “power” of applets executed in the browser, and to take advantage of the java platform for developing and deploying browser applets and out-of-browser applications almost identical. And I think we succeeded.
Me: Java applets came out 10 years ago, last year Microsoft presented Silverligth, Adobe updated the Flash plugin. Is it possible to consider the new plug-in Sun'ovskim answer to them, and that now Sun will go on the attack on Flash? Do you confirm such a statement, or how do you see this situation, what was the motivation to completely rewrite the plugin?
Ken Russell: The new plugin is just one element in Sun’s overall strategy for refreshing Java on client platforms. The motivation for correspondence plug-in for the most part comes from my own efforts in the project JOGL to be able to create applets using OpenGL. It has long been possible to create powerful 3D applications and games written in Java as ordinary applications or applications for Java Web Start, and we wanted the same features and reliability for deploying 3D content in a browser. The new plug-in uses the best architectural elements from Java Web Start and the old plug-in to ensure compatibility with old applets and at the same time deploy new features for new applets.
Ken Russell: As soon as you have a reliable container for applets, the following question arises: what to put in this container. JavaFX is the next big step towards easy development of richer applications and applets. Look at the release of JavaFX 1.0 in a few days and many examples of amazing applications that can be created on the Java platform.
A small interview with the man who made a great contribution to the development of a new plug-in from Sun
The fruits of this person’s work are used by every developer who writes on the Java platform, and his name is Ken Russell (http://research.sun.com/minds/2008-0811/)
Please note that the interview was conducted in early December, so some events may be said in the future, although they have already come.
Me: For developers the opportunity to specify additional parameters in the command line for the VM. Of course, this is a great functionality that was not enough, but if there are security measures controlling the developer’s actions? For example, is it worth it for me to worry about going to some site, will it hang my PC because it has 5 applets that allocate 512MB RAM each?
Ken Russell: We thought about creating additional constraints in the specification of command arguments, for example: the limit of the maximum memory size that all applets can request is the maximum amount of available virtual memory in the system. However, in the first release of the Java Plug-In, we decided not to impose artificial restrictions in order to avoid the restriction of developers in unexpected situations. I note that the Java Plug-In will try to group applets within the same JVM even if they request additional memory and use the "separate_jvm" parameter to isolate the applet inside its own JVM, then this JVM will be stopped when switching from the page. In general, if the applet does not complete "cleanly", then the plugin will "hard" stop the JVM in which it was executed. This means that if you hit a page that behaves abnormally (which can be completely independent of Java), you can simply close it and the Java Plugin and the system will be restored.
I: when is this restriction planned to be introduced? and how will it look? For example, can I, as a user, tell a plugin that I trust this applet and if he wants to allocate 2GB RAM then let him allocate, but if I just went to some page then the applets on it should not get more than N MB of RAM?
Ken Russell: At the moment we have not planned a date for the development of this restriction. At the moment we are focusing our efforts on other areas. If the data received from our customers indicate the need for this functionality, we will put a priority on it.
')
Me: Then the following: applets have the ability to save a small amount of data on the client PC, I have not found any integration into the browser caching mechanism, how can I delete this data? Will it be possible to clear this data when clearing the browser cache? Or should users know how to clean it themselves?
Ken Russell: The ability to save data is an innovation of Java SE 6 Update 10. Applets launched with JNLP support in the plugin can access PersistenceService like any Java Web Start application. I do not know what policies are there for this data - Java Web Start developers will be able to give an answer - but I think that if you clear the cache on the Java Control Panel, then this data should be deleted.
I: Well, but will the integration of this cleaning mechanism into the browser cleaning mechanism?
Ken Russell: there are no plans for this. The Java cache is specially separated from the browser cache in order to avoid dependence on the browser implementation of the caching mechanism.
Me: I mean, as in Flash, you can specify the size of the available storage directly on the Web page, or prohibit saving altogether.
Ken Russell: I know a little bit about Flash mechanisms. As far as I understand, Flash can save something around 100KB of data for each video, and if you need more, then you can ask Flash to show the user a request for allocating a larger amount. JNLP PersistenceService has a similar limitation, and if you want more, you can sign your applet to have direct access to the file system (provided that the user accepts your certificate).
Me: the plugin allows you to create new windows marked with an asterisk, considering that the plugin has been out for some time, what kind of feedback do you get, does it really warn the average user that this window is created by an applet and not by the browser? And yet: now it is possible to take out an applet from the browser, when this happens, the applet gets access to the local file system. Have you seen any malicious applets that asked to pull them out emulating windows usually displayed by the browser, or is it possible to create a window that will block the screen area in which the browser pop-up appears - a security warning?
Ken Russell: A new security alert developed in the Abstract Window Toolkit (AWT), not in the Java Plug-In. I didn’t closely follow its development, but the feedback from users is generally positive.
Ken Russell: The statement that the applet being removed from the browser accesses the file system is incorrect. Such an applet will continue to be executed inside the safe sandbox, unless of course it has a signature. We have not yet seen the malicious applets being pulled out. It makes no sense to block the browser security warning, because the user will have to confirm it all the time, and this cannot be done using java.awt.Robot or other means.
Me: Kokov Java's main priority at the moment: to be the most secure platform for the user or the most powerful development platform for developers? or both? If the goal is only one, why was it chosen?
Ken Russell: Both. With the new plugin, we have made applets in the browser as powerful as normal applications, we still save the java sandbox and security model. The purpose of rewriting the plug-in was to remove the artificial limitations of the “power” of applets executed in the browser, and to take advantage of the java platform for developing and deploying browser applets and out-of-browser applications almost identical. And I think we succeeded.
Me: Java applets came out 10 years ago, last year Microsoft presented Silverligth, Adobe updated the Flash plugin. Is it possible to consider the new plug-in Sun'ovskim answer to them, and that now Sun will go on the attack on Flash? Do you confirm such a statement, or how do you see this situation, what was the motivation to completely rewrite the plugin?
Ken Russell: The new plugin is just one element in Sun’s overall strategy for refreshing Java on client platforms. The motivation for correspondence plug-in for the most part comes from my own efforts in the project JOGL to be able to create applets using OpenGL. It has long been possible to create powerful 3D applications and games written in Java as ordinary applications or applications for Java Web Start, and we wanted the same features and reliability for deploying 3D content in a browser. The new plug-in uses the best architectural elements from Java Web Start and the old plug-in to ensure compatibility with old applets and at the same time deploy new features for new applets.
Ken Russell: As soon as you have a reliable container for applets, the following question arises: what to put in this container. JavaFX is the next big step towards easy development of richer applications and applets. Look at the release of JavaFX 1.0 in a few days and many examples of amazing applications that can be created on the Java platform.
Source: https://habr.com/ru/post/51151/
All Articles