Blog archive

Oracle To Deprecate the Java Plug-in in Java 9

News that Oracle Corp. plans to deprecate the Java browser plug-in in JDK 9 prompted a rousing chorus of "Ding Dong the Witch is Dead" from the Internet last week. But the news came as no surprise. A growing number of browser vendors have either stopped supporting the plug-in or announced plans to do so. (Flash and Silverlight, too.)

Dalibor Topic, a member of Oracle's Java Strategy Team, posted the news on the Java Platform Group blog. "With modern browser vendors working to restrict and reduce plug-in support in their products," he wrote, "developers of applications that rely on the Java browser plug-in need to consider alternative options such as migrating from Java Applets (which rely on a browser plug-in) to the plug-in-free Java Web Start technology."

Java Web Start is a framework designed to allow users to download and run Java apps from the Web. It has been included in the Java Runtime Environment (JRE) since the Java 5.0 release.

The vulnerability of Java in the browser, which was largely the result of the way Oracle bundled the extension with the JRE, has been a thorn in Oracle's side for awhile now. Back in 2013, when the plug-in was the target of some high-profile breaches, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call that the company's chief security concern was Java plug-ins running applets on the browser. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser," he said. "It's the biggest target now."

"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (for example, Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," Smith added. "This is why the industry is shifting to HTML5 for browser applications, so that the browser vendors own the security of the platform end-to-end."

IDC analyst Al Hilwa agrees. "The browser plug-in has been problematic," he said in an e-mail, "but more importantly, in the face of trends in client-side software development, it makes great sense to clean things up now. The world is shifting to HTML5, and while there are legacy apps that use Java and Flash, they are likely slotted to be rewritten to operate without a plug-in. For Java this is a positive step to reduce its complexity and surface area, and focus it on staying current."

Martijn Verburg, CEO of jClarity, a start-up focused on automating optimization for Java and JVM-related technologies, and co-leader of the London Java Users Group, said that deprecating the plug-in has been on Oracle's to-do list for a long time.

"This has been a long term strategy of Oracle for a very long time," he said via e-mail. "I suspect they just needed to get enough of their customers comfortable with it before they could officially decide on a time frame. It's a good thing for the world, although this decision won't have any practical impact for a number of years yet. Some businesses/organizations will complain, but this is a reality of doing business in the modern information age. IT infrastructure is a core part of any business, and companies/organizations that ignore this fact will continue to get caught out, it's another wake up call for senior management who still have outdated thinking on this."

Oracle plans to make JDK 9 generally available in early 2017. Early access releases are available now for download and testing. It's safe to say few will complain about the absence of the plug-in.

Posted by John K. Waters on February 1, 2016