Sunday, April 20, 2014

Why not a Java sandbox?

One of those things I've finally admitted to myself is some frustrations with how Java is being handled, especially with regard to the negative news on security. And I'm going to go out of my area with a suggestion about a sandbox, but it lets me discuss some issues related to my own open source project Class Viewer so I'll go for it.

Security is of course a big deal and I think finding ways to make it easy for developers is a great approach, where I don't think it's easy right now with Java and mostly I ignore the issue.

So my Class Viewer can't be run as an applet now because I haven't bothered with security certificates, and I've been paranoid that eventually they might block it from calling applications where now it calls the browser and can call a text editor, as well as open files where it looks for its own xml configuration file and Java files.

There is no interest from the app in calling anything else, so I'm like, why can't there be a sandbox where applications like mine can operate without security being an issue because they're isolated from anything dangerous on the device?

And a Java sandbox could have things like pictures, music and video, where access is open, but an app can't go wandering off into other things like system files.

As vague as that may sound it might be as simple as having an application tell the JVM that it is in a sandbox so that it has clearance, and then only being allowed access to files in certain folders, with system file folders always excluded.

Or I guess, as like I said, it's not really in my area. But it seems to me that in a security conscious world, Java should make it easy for any developer to handle security.

Currently I've not done a lot with much of the structure in Java for meta-information around the build either, so my app doesn't tell you things like build information in the meta. I'm debating adding that info but it seems like useless work for the developer that the compiler could do, like with: javac -build

Then the compiler could add the next build number and make that entire freaking set of info that doesn't interest me most of the time. Oh yeah, and if I DO decide to do more with security, how do I get a certificate for Class Viewer anyway?

And should I think better about a certain company I will not name with the hard task of managing Java?

I really want success with one of the most valuable intellectual items out there as the Java language just keeps amazing me for what it can do. But I now cringe every time I read someone knocking it, where lately it's been about security.

I want that opening for haters against the language closed. And I don't see myself thinking better about a certain company until that's done.

James Harris
Post a Comment