Oracle kills webstart

Gornova · January 29, 2016, 7:27am

https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free

Well, years ago works fine for me deploy and distribute my games with java webstart… but browsers are changing everything. What do you think about it?

Riven · January 29, 2016, 7:51am

Oracle kills applets and suggests developers switch over to Web Start :point:

princec · January 29, 2016, 9:18am

Webstart’s been shit for years, too.

Cas

Grunnt · January 29, 2016, 3:15pm

They could have deprecated/removed both deployment methods two versions of Java ago and the world would not have been worse off… Even better yet, I think Java as a language would be more popular if they had, with Java browser plugins giving Java security such a bad name.

KevinWorkman · January 29, 2016, 8:51pm

I don’t understand how this is “Oracle kills webstart” at all. From the “article”:

[quote]With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology.
[/quote]
It sounds like Oracle is simply saying that people should migrate from Applets to Web Start, which isn’t news to anybody. The news is that applets will be deprecated in Java 9.

Am I missing something?

Grunnt · January 29, 2016, 10:14pm

Yes, the reply by your overlord.

KevinWorkman · January 30, 2016, 12:05am

Haha fair enough.

I just wanted to make sure, because killing applets isn’t really a big deal, since existing applications can pretty easily just move to Web Start. If Web Start is being killed, that’s a whole different story.

Just wanted to know how much of a panic I should incite at my day job on Monday morning…

CommanderKeith · January 30, 2016, 1:11am

Even if the client has a pre-installed JVM and the browser allows the download of the webstart jnlp file, webstart won’t launch your game unless you’ve purchased a certificate and signed your game files with it which is prohibitive for most of us hobbyist developers.

Cero · January 30, 2016, 8:26am

Both have been effectively dead for a long time. Come on now.

abcdef · January 30, 2016, 8:39am

Applets yes, java web start no. In the corporate environments its still used a lot because its an easy way to control updating applications.

To get around the self signing issues present since java 7 you can use deployment rule sets

https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

Corporations will use this as a way of allowing only what they want run.

As a local developer there are a few ways to get around this

Buy a certificate yourself (not practical)
Ask your end user to add an exception for your site
if you initially deploy via a custom jvm then you can custom add a deployment rules set. You can use this jvm to launch web start directly

None are that great to be honest. I would have to add though I haven’t seen many games / apps being deployed this way (and the couple of times I have seen it it didn’t work anyway).

I suspect not many people on this forum would be crying if it actually did go in the future, but it does have it’s uses, just else where.

gouessej · February 2, 2016, 12:08pm

Hi

I stopped using applets in 2006 and I dropped Java Webstart one or two years ago mainly because of the obligation of using “trusted” certificates even though there are some ways to work around this limitation as ziozio suggested. It’s possible to obtain some free of charge “trusted” certificates but you have to renew them often and/or you have to provide something in return (sometimes filling some surveys).

Some Java developers use the free of charge and easy to renew “trusted” certificates provided by Let’s encrypt with Jetty, it seems to be possible to use it with Java Webstart too, this is the least annoying solution that I have to suggest if you really want to go on using Java Webstart. Otherwise, consider IzPack, PackR, JarMatey, OneJAR, GetDown, JNDT (my own tool), …

P.S: Java Deployment Toolkit is blocked in Mozilla Firefox, it helps to get the right version of Java for a user’s system. The current situation drives Java Webstart less usable as if you use it without JDT, it won’t work if the right version of Java isn’t already installed which often happens especially since Oracle installs a tool bar (from Ask.com, Yahoo and now Amazon) by default.

Grunnt · February 5, 2016, 7:40pm

To be honest, I think any Java application that can be run from a browser is just too insecure to ever be a success. Either you get stringent security which is too much bother for many users, or any malware creator gets a free pass to basically do anything whenever someone visits a website. Java is not sandboxed enough for that (like many other languages). Now if you were to use Google Web Toolkit or something like it, you could compile your Java code to Javascript, which runs in a more secure sandbox. Like LibGDX supports when deploying to web. If you want to deploy on the web you’d better look into that route, I think.

ddyer · February 12, 2016, 6:48pm

The hidden flaw is this: Sandboxed applets were theoretically safe, but sometimes compromised by bugs.
Web start applications, or any other means to download and run a program is guaranteed to be unsafe.

So by training users to switch from mostly safe to a guaranteed unsafe software, you are making
them less secure, not more.

IMO the ongoing deprecation of applets is more about oracle washing their hands of the problem
than about real security.