BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Oracle will remove its browser plug-in from future Java releases, which is in keeping with an industry-wide trend toward eliminating plug-in support from most major browsers. Ongoing security concerns and advances in web technologies have led vendors and developers, including Oracle, to look for alternatives to traditional plug-ins.
Several major vendors have either removed or announced their intentions to remove plug-in support from their desktop browsers. This development started with mobile device browsers, which lacked plug-in support from day one, but Microsoft led the way with plug-in-free desktop browsers. Its new Edge browser in Windows 10 came without plug-in support. Internet Explorer still supports plug-ins, but by all accounts, IE is on its way out the door.
In fall 2015, Google removed plug-in support from its latest release of Chrome, and Mozilla is planning to eliminate plug-ins from its Firefox browser by the end of 2016. A few hold-outs remain, such as Safari and Opera.
Browsers that don't support plug-ins cannot run embedded technologies such as Flash, Silverlight or Java, so it's no surprise that Oracle would give up on its own plug-in. To run a Java applet from within a browser, the browser must permit the Java plug-in to be installed. As browser makers turn away from these types of installations, it becomes more difficult to find an environment to run Java applets, which makes the Java plug-in irrelevant.
Oracle plans to deprecate the Java Applet API in the next release of the Java Development Kit (JDK), which is slated for general availability some time in 2017. Oracle will completely remove the Applet API from the JDK and Java Runtime Environment at some point in the future.
The wonderful world of plug-ins
The plug-in came into being in the early days of the web, when browser capabilities were more limited than they are today. Plug-ins offered a way to bring advanced capabilities to the browser environment without forcing users to install applications locally.
At the heart of the plug-in movement was the Netscape Plugin API (NPAPI), which provided a standard that all browsers could use. This made cross-browser, cross-platform capabilities a reality. Technologies such as Flash, Silverlight and Java could take advantage of the NPAPI standard to deliver desktop-like features to web-based applications. This transformed the web into a platform for advanced consumer and business applications.
But NPAPI nirvana soon gave way to the realities of what it meant to run code through a plug-in that had the full permissions from the user without being isolated from the rest of the cyber world. Suddenly browser and plug-in vendors were faced with gapping security holes, and they had to contend with an unending string of attacks that could lead to infected systems, compromised information and downed data centers.
The security toll from plug-in technology has been enormous. Java and Flash have taken turns as cybercriminals' number one target. In addition, plug-ins have also caused an assortment of other problems, such as hung, crashed or unrecoverable systems.
What's a developer to do?
Developers can still employ Java's Applet API -- it's only being deprecated, not removed -- but there will be limited support. In addition, developers will also run into Java deprecation errors when compiling the code. And if the Java compiler is configured to treat warnings as errors, the build will fail.
The challenge for large organizations is that they might have numerous distributed applications, and they may not be sure where the Applet API has been implemented. Fortunately, development teams can use the Java Advanced Management Console to track Java usage and determine where the API is in use.
When it comes time to repurpose the code to eliminate the Applet API, developers can turn to HTML5 or other advanced web technologies, or go with one of Oracle's options. For example, Oracle suggests that developers can replace the Applet API with Java Web Start, a framework that lets users launch Java applications from the internet without the need for plug-ins. But some are worried that hackers can use Web Start to exploit Java vulnerabilities just like they could through the browser plug-in.
Even so, development teams must still look for options that don't involve plug-ins. The Java plug-in is heading toward its inevitable conclusion, as are Flash and Silverlight. Even the Edge browser doesn't support Silverlight, Microsoft's own technology. Applications that rely on plug-in technologies should be rewritten, and new applications should avoid these technologies altogether.
Reduce security threats from plug-ins
How Java plug-in's death will affect businesses
Defend browser security against Silverlight threats