X

Update and FAQ on the Java SE Release Cadence

As work on Java SE 9 was winding down in early 2017, some contributors in the OpenJDK Community started wondering if there was a way to evolve the Java SE Platform and the JDK at a more rapid pace, so that new features could be delivered in timelier manner.  A JCP working group was established to consider how the Java Community Process could accommodate such a change. After further discussion amongst key contributors a plan was proposedand, in parallel, Oracle announced plans...

Thursday, May 3, 2018 | Read More

Introducing Java SE 10

Download Now Over the past 22 years, Java has grown into a vibrant community that has reached a scale without equal.  Java continues to bring value to developers and to enterprises worldwide.  Thoughtful planning and ecosystem involvement has helped grow Java into one of the most used programming languages on the planet. With more than 12 million developers worldwide running Java, Java continues to be the #1 programming language of choice by software programmers.  Moving...

Tuesday, March 20, 2018 | Read More

The Future of JavaFX and Other Java Client Roadmap Updates

Starting with JDK 11, Oracle is making JavaFX easier to adopt by making the technology available as a separate download, decoupled from the JDK. These changes clear the way for new contributors to engage in the open source OpenJFX community. Meanwhile, Oracle customers can benefit from continued commercial support for JavaFX in the Oracle JDK 8 through at least 2022. JavaFX was publicly unveiled at JavaOne 2007. It was immediately compared with Adobe Flex and Microsoft...

Wednesday, March 7, 2018 | Read More

Understanding why Java signed code needs to be re-signed periodically (even if time-stamped)

Oracle's Java runtime contains mechanisms and tools to help verify application code that may have been delivered over the internet. Developers and administrators need to understand the mechanics of code signing. This includes not only the signing of the code itself, but how the signatures are verified and managed over time.

Wednesday, January 31, 2018 | Read More

Extension of Oracle Java SE 8 Public Updates and Java Web Start support

Oracle has updated the Java SE Support Roadmap.  A more detailed white paper will follow shortly, but here are the key changes made: The public availability of Java SE 8 updates from Oracle has been extended to at least January 2019.  Moreover, Oracle will continue to provide consumers with updates for personal (non-corporate) use of Java SE 8 through at least the end of 2020. Oracle will continue to support Java SE 8 Web Start applications for public and personal...

Tuesday, January 30, 2018 | Read More

Convergence Of Oracle Java SE Embedded With Oracle JDK

Over the past years, Oracle has been working in the OpenJDK Community and the JCP to enable Java SE in general, and Oracle JDK in particular, to scale down to smaller devices. A first step was to introduce Compact Profiles to Java SE 8. This feature is available in Oracle Java SE 8 Embedded.  The next step was to introduce a module system to Java SE 9 through project Jigsaw.  Using the new jlink tool, a set of user-supplied modules and their runtime dependencies can...

Wednesday, September 20, 2017 | Read More

Free Java Virtual Machine Troubleshooting MOOC starts September 20th

Poonam Parhar, a JVM Sustaining Engineer at Oracle, author of the Java Performance Companion and a JavaOne Rock Star, is offering a free Oracle MOOC on the subject of JVM Troubleshooting. The course begins on Wednesday, September 20th. Enroll today, and learn how to: Understand Memory Management and Garbage Collection Recognize the Symptoms of Memory Problems Utilize Diagnostic Data Collection and Analysis tools Poonam’s blogalso provides a great source of advice on JVM...

Monday, September 18, 2017 | Read More

Faster and Easier Use and Redistribution of Java SE

Exec Summary: Oracle is proposing to increase the release cadence of Java SE to every six months Oracle will simplify how developers, customers, and consumers use Java SE Starting with JDK 9 GA Oracle plans to ship OpenJDK builds under the GPL Oracle has proposed a time-driven release model for Java SE instead of the historical feature-driven model Oracle JDK will contribute previously commercial features such as Java Flight Recorder to OpenJDK Oracle will work with other OpenJDK...

Wednesday, September 6, 2017 | Read More

Understanding the Server JRE

The Java SE download Page offers downloads of the Java Runtime Environment (JRE), the Server JRE, and the Java Development Kit (JDK). The JRE is used to run a broad variety of Java programs including Java applications on desktops.  The JDK is for Java developers. It contains a complete JRE as described above and tools required to create Java programs, sign code, generate documentation, etc. The JDK also ships several tools meant to monitor and debug programs. So where does the...

Thursday, July 27, 2017 | Read More

Java Advanced Management Console 2.7

Java Platform Group is pleased to announce the release of Java Advanced Management Console 2.7 (AMC) on 18th July 2017. AMC, part of Oracle Java SE Advanced product offering, offers system administrators greater and easier control in managing Java installations across enterprises. Some of the most important features of AMC are: Java Usage Tracking: AMC leverages Java’s usage tracking feature to get complete insight into the use of Java applications in an enterprise and the...

Friday, July 21, 2017 | Java Platform Group, Product Management | Read More

Java SE support for Docker CPU and memory limits

Special thanks to Charlie Hunt, contributor to multiple OpenJDK projects for providing much of the content of this blog. As a follow-up to our blog announcing OpenJDK Project Portola, a project to provide a port of the JDK to Alpine Linux, there are several enhancements coming to Java SE that also fit with Docker and Alpine Linux’s slogan, "Small, Simple. Secure." Two worth mentioning are: Support of Docker CPU and memory limits. Project Jigsaw’s jlink, which offers the ability...

Tuesday, May 16, 2017 | Read More

Even Further Updates to 'Moving to a Plugin Free Web'

Several months ago we published Further Updates to Moving to a Plugin Free Web.  Since then, Firefox 52 was released in March 2017) dropping support for NPAPI, impacting plugins for Java, Silverlight, and other similar NPAPI based plugins. If you have problems accessing Java applications using Firefox, Oracle recommends using Internet Explorer (Windows) or Safari (Mac OS X) instead. But even then, developers and system administrators should be quickly migrating away from...

Tuesday, May 16, 2017 | Read More

Filter Incoming Serialization Data - a little of JDK 9 goodness available now in current release families

One of the new features developed for JDK 9, JEP 290: Filter Incoming Serialization Data, has been back-ported to JDK 8, 7, and 6. The option of filtering incoming serialization data adds one more layer of protection and robustness to object serialization.  By using the filtering mechanism, developers can constrain the classes that can be deserialized by an application.   Like most security features this new feature is not meant to replace current secure coding practices but...

Tuesday, February 14, 2017 | Read More

Further Updates to 'Moving to a Plugin-Free Web'

About a year ago we wrote a post announcing plans to deprecate the Java browser plugin in JDK 9 due to browser vendors moving away from the standards-based NPAPI plugin support technology required to launch Java Applets. Since then, the Oracle development team has published a JDK Enhancement Proposal (JEP 289: Deprecate the Applet API) with technical details about the planned deprecation step in JDK 9. In addition, updated timelines for removal of standards-based plugin support...

Thursday, February 2, 2017 | Read More

Java SE Offerings

The Java ecosystem is incredibly diverse.  It powers billions of devices and servers. It is key to cloud infrastructure worldwide. Even just the Java Platform, Standard Edition, “Java SE”, which is the core Java platform for general computing, is itself diverse. We on the Java Platform Group at Oracle think of our work on “Java SE” in four main areas, described below. 1) OpenJDK. OpenJDK is the place we collaborate on an open-source implementation of the Java Platform,Standard...

Wednesday, December 21, 2016 | Read More

Visual VM in JDK 9 and Beyond

Visual VM is a tool that provides information about code running on a Java Virtual Machine.  It was provided with Oracle JDK 6, Oracle JDK 7, and Oracle JDK 8. More information about Visual VM can be found on the NetBeans Profiler and Visual VM blog: https://blogs.oracle.com/nbprofiler/Starting with JDK 9, Visual VM will not be included with Oracle JDK. Developers who would like to use Visual VM with Oracle JDK 9 or later can get it from the Visual VM open source project...

Thursday, November 10, 2016 | Read More

Oracle JRE will no longer trust MD5-signed code by default

Update notice When this blog post was originally posted the change was scheduled to occur with the January 2017 Critical Patch Update. In response to requests for additional time to prepare for this change Oracle now plans to deliver this change with the April 2017 Critical Patch Update. The post has been updated accordingly.   Beginning with the April 2017 Critical Patch Update, JAR files signed using MD5 will no longer be considered as signed by the Oracle JRE. Affected...

Tuesday, October 18, 2016 | Read More

Updates to “Moving to a Plugin-Free Web”

One of the most recently popular posts on the Java Platform Group Product Management blog has been “Moving to a Plugin-Free Web” from January 2016. In the interim, the Oracle development team has published a JDK Enhancement Proposal (JEP 289: Deprecate the Applet API) with technical details about the planned deprecation step in JDK 9. In short, JEP 289 proposes to add the @Deprecated annotation to classes in the Applet API, rather thanremoving them. The implementation of the...

Tuesday, August 23, 2016 | Read More

JavaOne 2016 Call for Proposals

JavaOne 2016 has opened its Call for Proposals to speak at the conference. This year, security topics take place in the Core Java Platform track. Speaker Proposals must be submitted by May 9th. The conference itself takes place from September 18-22 in San Francisco. Accepted speakers will receive a gratis pass to attend. Before each JavaOne conference, we receive a number of great submissions from Java community members around the globe, about different security topics. Our...

Wednesday, April 27, 2016 | Read More

G1: from garbage collector to waste management consultant

Java’s garbage collection capabilities make it easier for developers to write software and focus on the task at hand, without focusing on freeing up unused memory. In JDK 9, the G1 garbage collector will likely become the default collector and can do more than simply freeing memory. Instead of a simple garbage collector to free up memory, G1 takes the role of a waste management consultant: freeing unused memory and identifying ways to reduce the overall amount of garbage. Strin...

Thursday, March 24, 2016 | Read More

Java Advanced Management Console 2.2

Today, the Java Platform team is pleased to release Java Advanced Management Console version 2.2.  Available for production use with appropriately licensed Java SE Advanced products, the Advanced Management Console helps system administrators track and manage Java across their organization. Its usage tracking capabilities help system administrators create a Java application inventory to know which Java versions are used for which applications, and by whom. Administrators can...

Wednesday, January 27, 2016 | Read More

Moving to a Plugin-Free Web

By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies. With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on abrowser...

Wednesday, January 27, 2016 | Read More

Now Available: Migration Guide from Oracle JRockit JVM to HotSpot JVM

During the 2010 JavaOne conference Oracle announced that it would merge the Oracle JRockit JVM and HotSpot JVM by incorporating the features that were only available in JRockit into HotSpot. WithJDK 7 Oracle started delivering on that vision. It completed the work with JDK 8. Customers using the Oracle JRockit JVM, in the meantime, have been receiving periodic security updates and bug fixes. CPU releases and bug fixes for Java SE 6 JRockit (R28 only) will continue to be...

Tuesday, January 19, 2016 | Read More

A New JDK 9 Version String Scheme

One of the smaller, but rather important planned changes for JDK 9 is an updated JDK version string scheme. It is described in detail in JEP 223. The new version string scheme makes it easier to distinguish major, minor and critical patch update (CPU) releases, by encoding each property into a separate numerical component as part of a JDK version string. Following the new MAJOR.MINOR.SECURITY convention, JDK 9 version strings would start with ‘9’ for the MAJOR release...

Sunday, December 6, 2015 | Read More

Strengthening Signatures part 2

The scheduled Critical Patch Update of Oracle Java SE on January 19 2016 is planned to disable X.509 certificates signed with MD5. Plans are also being developed to disable X.509 certificates signed with SHA-1 and further details will be announced in a future post. Specifically, this change will treat certificate chains containing a certificate with an MD5-based signature to be invalid and blocked by default. This affects Java clients and servers using TLS (via the JSSE API),...

Monday, November 16, 2015 | Read More

When is the next Java update?

"Java update available -- a new version of Java is ready to be installed..." This occurs four times a year: January, April, July, and October. Oracle Java SE is updated on the Oracle Critical Patch Update schedule. The date for these updates is published a year in advance. This schedule helps system administrators manage software across a fleet of systems. Combined with another feature, the security baseline, client systems can detect newer security updates and adjust...

Thursday, November 12, 2015 | Read More

NPAPI Plugin Perspectives and the Oracle JRE

Java’s rapid rise to fame 20 years ago began with a tumbling duke applet running in the HotJava browser. Applets allowed richer development functionality at a time when browser capabilities were very limited, and provided centralized distribution of applications without requiring users to install or update applications locally. HotJava’s support for applets was picked up by Netscape. In 1995 Netscape Navigator 2.0 and plugins became more popular to expand thekind of content...

Thursday, October 8, 2015 | Read More

Launching Web Start applications

Java applications can be distributed to clients through download capabilities like Applet and Web Start. These applications are delivered to users through web browsers, allowing for convenient access on client systems. Web Start applications can be launched from any web browser by opening the application’s JNLP file. Once opened, these applications no longer rely on browser plugins or integrations. Instructions for launching JNLP files can be located in "What is Java Web Start...

Monday, August 31, 2015 | Read More

Strengthening Signatures

Later this year, the Oracle JDK team plans to restricting the use of MD5 signatures within X.509 certificates used by SSL/TLS and code-signing. This will take place in the public versions of JDK 9 (early access) and JDK 8, as well as the commercially supported JDK 7. The IETF has recommended a move away from MD5 since 2011. Most Certificate Authorities followed this guidance by requiring stronger signatures (typically in the SHA family). Although the default JDK options...

Wednesday, August 5, 2015 | Read More

The 2015 Leap Second’s impact on the Oracle JDK

On June 30, the official Universal Coordinated Time will experience a leap second. Many technical news sites have written about this upcoming leap second’s impact on various technical systems. System Administrators concerned about leap seconds should focus on it as a standard maintenance problem of updating Java’s time zone information and using operating system time tools like NTP. Update Time Zone Information Time Zone updates were covered in a previous post, Understanding...

Wednesday, June 24, 2015 | Read More

Deferring to Derby in JDK 9

Java DB is simply a re-branded distribution of the Apache Derby open source database. It contains the same binaries as Apache Derby. As of JDK 9, it is no longer being planned to include it in the 'db' directory of Oracle JDK downloads. Developers looking ahead to JDK 9 should plan to get and bundle Apache Derby independently for the same purpose.  - Don 

Monday, June 15, 2015 | Read More

Understanding Time Zone Updater 2.0

Different places in the world are in different time zones so Java needs to keep track of time zone information. Such information gets complicated when one considers rules for Daylight Saving Time across regions.  There are some places where Daylight Saving Time changes occur multiple times per year. In Morocco, for example, changes occur in March, and October as well as around Ramadan.  The rules can vary from country to country and in some cases within a country.   These...

Tuesday, April 21, 2015 | Read More

JavaOne 2015 Call For Proposals Is Open

The call for proposals is now open for JavaOne 2015. If you are interested in speaking, please submit your abstract to the site. Key Information JavaOne 2015 will run from October 25th to the 29th in San Francisco. The call for proposals ends on April 29 at midnight PDT. Submit your talk by then. Accepted speakers receive complimentary passes to attend the conference. Choose the best track for your topic JavaOne features several different tracks based on different roles and...

Tuesday, March 31, 2015 | Read More

Future updates of Java 7 and Java 6

The upcoming release of Java 7 update 80 (April 2015) marks the last public release in Orale’s JDK 7 family. Java users should upgrade to the publicly supported JDK 8 or obtain a commercial support contract of Java SE Advanced for continued updates of JDK 7 and JDK 6. Additional details can be found in the video, "Java SE 7 End of Public Updates" by Tomas Nilsson. Support dates for the publicly supported JDK versions are as follows: Oracle Java SE Public Updates(copied as of...

Thursday, March 26, 2015 | Read More

Planning safe removal of under-used “endorsed extension” directories

As the Java platform moves forward, we look for ways to reduce and eliminate technical debt. One example is the planned removal of deprecated Garbage Collection combinations, as outlined in JEP 214. As another example, in Java 8 update 40, as part of JEP 220, we will be deprecating two rarely-used extension capabilities, with the intent to remove them in JDK 9, providing suitable replacements as necessary. Most developers do not use these features, and system administrators...

Tuesday, February 17, 2015 | Read More

Java Web Start in or out of the browser

The Java Runtime Environment offers a number of ways to run applications. On client systems, one common method is Java Web Start. It allows applications to be launched through browsers or directly via the Java Network Launching Protocol (JNLP). This capability was introduced back in 2001 and has been used by many applications throughout the years. It is quite common in enterprises and certain countries. As browsers evolve, many users still need to continue to run these...

Monday, January 5, 2015 | Read More

Node.js and io.js on Java

The Nashorn JavaScript engine is one of many improvements in JDK 8. Nashorn (German for Rhino) is a faster replacement for the previous JavaScript engine known as Rhino. There is also another noteworthy feature: the ability to run many Node.js and io.js applications in the JVM. These applications can then call back and forth between optimized Java libraries and automatically receive monitoring capabilities through JMX. In the upcoming JDK 8 update 40, it is planned to...

Thursday, December 18, 2014 | Read More

Upgrading major Java versions - technical

Many users have already upgraded from Java 7 to Java 8, to benefit from improvements in speed, brevity of code, and lower memory usage. Other users have asked for more prescriptive guidance of the upgrade: when to make the change, what to expect, and how to do it in a controlled manner. Relation to a previous post A previous post, Upgrading Major Java Versions, provides details for certain stakeholders: support timelines, compatibility guides, lists of changes, and different...

Monday, December 15, 2014 | Read More

That's so SecureRandom

Random numbers are an important part of software systems, especially those that deal with security or encryption. The Java platform offers different types of randomness based on intent, and static typing can further guide that choice for library developers. This post is intended to explain how the Oracle JDK provides random numbers, to guide their usage: Developers building Java software, to use the right randomness in the right place. Companies buying or running Java software...

Thursday, December 11, 2014 | Read More

Upcoming Oracle Java SE 7u72 PSU

On October 14th, Oracle plans to release the regularly scheduled Critical Patch Update (CPU) release for Oracle Java SE.   For Oracle Java SE 8, that is version 8u25.  We now encourage all Java users to download and use the latest Java SE 8 update release.  With this release, Java SE 8 is ready to debut as the default on Java.com, and as we've previously noted we will begin auto updating users to Java SE 8 in early 2015.  For Oracle Java SE 7, there will be two releases...

Monday, October 13, 2014 | Read More

Upgrading major Java versions

With the release of Java 8 back in March 2014, many users have already upgraded. They can take advantage of new features such as: Significant and noteworthy speed improvements (Fork/Join and Lambda). Shorter code that is easier to read and write (Lambda and the Streams API). Language support to prevent bugs, especially when different teams write different parts (Type Annotations like the Checker-Framework). Lower memory usage (String deduplication). There are many write-ups and...

Monday, October 6, 2014 | Read More

Choosing 64 and/or 32 bit Java

The Java Platform was designed to allow applications to run on different hardware stacks and operating systems without changes. Java is available on Microsoft Windows in 64 and 32 bit versions, allowing users to get the appropriate version for their system. Users can even run both side-by-side for 64 bit operating systems. Getting the right version End-users should visit Java.com and click the Free Java Download link. The site will auto-detect the web browser and serve the...

Friday, September 19, 2014 | Read More

New Management Console in Java SE Advanced 8u20

Java SE 8 update 20 is a new feature release designed to provide desktop administrators with better control of their managed systems. The release notes for 8u20 are available from the public JDK release notes page. This release is not a Critical Patch Update (CPU). I would like to call attention to two noteworthy features of Oracle Java SE Advanced, the commercially supported version of Java SE for enterprises that require both support and specialized tools. The new Advanced...

Tuesday, August 19, 2014 | Read More

Keeping users on Internet Explorer up-to-date and secure

Oracle actively works with many vendors on Java security and an important goal is finding ways to remove old and unsecure Java versions from circulation.   Oracle recommends that Java users keep their JRE installations up to date with the latest security baseline through the Java Auto Update feature. Microsoft Windows users have long been able to  improve the security of their computer by checking for old versions of Java and removing them using the Java Uninstall Tool.On...

Monday, August 11, 2014 | Read More

Java 7 update 67 patch release

The recent Java 7 update 65 contained an issue that prevents some Applet and Web Start applications from launching. As a result, we have released Java 7 update 67 to restore the functionality for affected users. This issue only affects some Rich Internet Applications and does not impact client or server-side applications. Java 7 update 67 is a functionality release: it is not a security fix or Critical Patch. End Users  Download the latest release from java.com. The functionality...

Monday, August 4, 2014 | Read More

Deep monitoring with JMX

The Java Platform is designed as a modular system, where each item in the conceptual diagram provides specific functionality. One commonly requested feature of software platforms is the ability to monitor an application for CPU, memory and resource usage, and other statistics. The Java Platform Standard Edition (Java SE) has provided the Java Management eXtension (JMX) since Java SE 5.0 (2004). There are several benefits to having this type of monitoring as part of the...

Wednesday, July 30, 2014 | Read More

Diagnosing TLS, SSL, and HTTPS

When building inter-connected applications, developers frequently interact with TLS-enabled protocols like HTTPS. With recent emphasis on encrypted communications, I will cover the way in which the JDK evolves regarding protocols, algorithms, and changes, as well as some advanced diagnostics to better understand TLS connections like HTTPS. Most developers will not have to do this level of diagnosis in the process of writing or running applications. In the event that you do,...

Wednesday, July 2, 2014 | Read More

Nashorn, the rhino in the room

Nashorn is a new runtime within JDK 8 that allows developers to run code written in JavaScript and call back and forth with Java. One advantage to the Nashorn scripting engine is that is allows for quick prototyping of functionality or basic shell scripts that use Java libraries. The previous JavaScript runtime, named Rhino, was introduced in JDK 6 (released 2006, end of public updates Feb 2013). Keeping tradition amongst the global developer community, "Nashorn" is the...

Wednesday, June 11, 2014 | Read More

Compact Profiles: Space and Security

Compact Profiles provide a way for developers and device manufacturers to package and update Java SE on space-constrained devices. Teams building software for those devices can trim the size of the embedded JRE by choosing a Compact Profile without items that are not used by their application. Additional details are present in Java Magazine’s March Issue, as well as the Java SE 8 launch videos “Developing Embedded Applications with Java SE 8 Compact Profiles.”By shrinking...

Tuesday, May 20, 2014 | Read More

Deployment Rule Set by Example

Recently I encountered a situation whereby a System Administrator needed to adjust thieir systems to run a specific RIA on an older version of Java. By using Deployment Rule Sets, we were able to achieve the desired outcome. The specific RIA ran using the older version of Java with no prompts to the end users, while all other RIA applications used the latest, most secure version of Java. This post is intended for System Administrators managing a white list within an...

Thursday, May 1, 2014 | Read More

Secure Coding Guidelines for Java SE

With so much happening around the Java platform, it’s understandable if you missed the recent improvements we made to the Secure Coding Guidelines for Java SE.  In January 2014 the Java Platform Group released a significant update, Java 7 Update 51 establishing code-signing as the default for Applets and Web Start applications.  Following in March 2014, we hit another major milestone with the long anticipated release of Java SE 8. There are a number of improvements to the...

Thursday, April 17, 2014 | Read More

JavaOne 2014 Security Track Early Acceptance Sessions

JavaOne 2014 is Oracle's flagship software developers conference event for Java.  Security has been a focus at the conference for many years but last year Oracle brought security to the forefront by including it as a track.  If you have ideals for interesting Java security sessions we would be delighted to review them.  The JavaOne CFP is open until April 14, 2014.  Back to the security track, each year the tracks highlight their early acceptance sessions to build momentum for...

Monday, April 7, 2014 | Read More

Java 8's new Type Annotations

Java 8 introduces two important changes to Annotations designed to help developers produce better code and improve the accuracy of automated code analysis to verify that quality. Quick Annotations Webinar There is a great video explaining the new improvements in the Java 8 Launch Webinars called “Enhanced Metadata - Annotations and Access to Parameter Names” by Alex Buckley and Michael Ernst. Annotation Improvements Type Annotations allow developers to write annotations in...

Tuesday, April 1, 2014 | Read More

Java SE 8 is available for download

Developers and system administrators can now download the first official release of Java SE 8. This is the first major release since Java 7 (July 2011) and features significant improvements in speed, stability, and security. Complete details about Java SE 8 and launch events can be found at The Java Source and Mark’s blog. Please also join the main launch webinar on March 25. New developers learning Java 8 may also view the Java Tutorials or focus on Java FX 8. Coordinated...

Wednesday, March 19, 2014 | Read More

JavaOne 2014 Call for Proposals is open

The call for proposals to JavaOne 2014 is currently open. Those looking to speak may submit topics through the JavaOne website. This year’s conference takes place from September 28th through October 2nd in San Francisco. There are several tracks for those wishing to speak. See the 2014 track listing for details.Clients and UI Core Java Platform Internet of Things Java Virtual Machine Languages Java and Security Tools and Techniques Server-Side Java Java in the Cloud Agile Development F...

Wednesday, March 12, 2014 | Read More

Managing multiple Java versions

The Java Platform provides various options for System Administrators to manage updates on client systems and maintain compatibility with specific applications This post is intended to guide System Administrators whose clients make use of Rich Internet Applications (Applet & Web Start). Most of this does not apply to System Administrators of server-side applications or locally installed applications using the JRE. The primary strategies for controlling RIA compatibility are: Ident...

Thursday, February 27, 2014 | Read More

JDK 8 will use TLS 1.2 as default

Transport Level Security (TLS) is designed to encrypt conversations between two parties and ensure that others can neither read nor modify the conversation. When combined with Certificate Authorities, a proper level of trust is established: we know who is on the other end of the conversation and that conversation is protected from eavesdropping/modification. Support for TLS 1.2 first appeared in JDK 7 (2011). For compatibility reasons, it is enabled by default on server...

Tuesday, January 28, 2014 | Read More

Closing the closed APIs

Earlier this year, Wired published an article stating that, “Oracle has actually opened up Java even more — getting rid of some of the closed-door machinations that used to be part of the Java standards-making process.” This openness comes through OpenJDK and the Java Community Process, where different companies and developers all work together to guide the future of the Java Platform. Part of opening Java involves dealing with the evolution of internal APIs in the JDK outside...

Thursday, December 12, 2013 | Read More

Upcoming Exception Site List in 7u51

Over the last year, many new security related features have been implemented. Many of those features have been related to browser plugins for applets and web start applications (RIAs). A number of end users and software vendors have asked for more ways to configure their environment and use of applications.  The Exception Site List is a way for end-users to control their own application whitelist and continue using RIAs that could not be timely updated to follow previously...

Monday, November 25, 2013 | Read More

Security Resource Center

We recently launched a new Java security resource center on the Oracle Technology Network.The goal of this page is to aggregate security-related information for members of the Java community based on their roles. The resource center is not meant for specific technical features. Features are different and well covered in documentation sections like cryptography. The resource center focuses more towards "security is everyone's responsibility" in discussing how features...

Friday, November 15, 2013 | Read More

Self-signed certificates for a known community

Recently announced changes scheduled for Java 7 update 51 (January 2014) have established that the default security slider will require code signatures and the Permissions Manifest attribute. Code signatures are a common practice recommended in the industry because they help determine that the code your computer will run is the same code that the publisher created. This post is written to help users that need to use self-signed certificates without involving a public...

Monday, November 11, 2013 | Read More

7u45 Caller-Allowable-Codebase and Trusted-Library

Java 7 update 45 (October 2013) changed the interactions between JavaScript and Java Applets made through LiveConnect. The 7u45 update is a critical patch update that has also raised the security baseline and users are strongly recommended to upgrade. Versions below the security baseline used to apply the Trusted-Library Manifest attribute to call between sandboxed code and higher-privileged code. The Trusted-Library value was a Boolean true or false. Security changes for the...

Friday, October 18, 2013 | Read More

Updated Security Baseline (7u45) impacts Java 7u40 and before with High Security settings

The Java Security Baseline has been increased from 7u25 to 7u45.  For versions of Java below 7u45, this means unsigned Java applets or Java applets that depend on Javascript LiveConnect calls will be blocked when using the High Security setting in the Java Control Panel. This issue only affects Applets and Web Start applications. It does not affect other types of Java applications. The Short Answer Users upgrading to Java 7 update 45 will automatically fix this and is strongly...

Wednesday, October 16, 2013 | Read More

What to do if your applet is blocked or warns of “mixed code”?

Recent security changes, including the October 7u45 critical patch update, for RIAs (Applets & Web Start applications) have affected several audiences in different ways. Other types of applications (such as back-end server applications, web applications, middleware, client-installed applications, and others) are unaffected by these changes. Two notable changes are: Java 7 update 45 (October 2013) introduced changes to the LiveConnect model of JavaScript calling Java RIAs...

Tuesday, October 15, 2013 | Read More

LiveConnect changes in 7u45

Java 7 update 45 (October 2013) introduces a new warning to users of LiveConnect applications. LiveConnect is a technology for Rich Internet Applications that allows JavaScript on a web page to make calls into an RIA, allowing the two to work together and load content. RIAs that do not use LiveConnect are unaffected by this change. What changed: Users are prompted to confirm a domain when it makes its first LiveConnect call.How is this different: Previously, LiveConnect calls...

Tuesday, October 15, 2013 | Read More

Signing code for the long-haul

With recent code-signature requirements for Rich Internet Applications, I have received a few good questions from different types of developers What is the role of code signing? How do I prevent my signature from expiring?  What is the role of code signing? Code signatures allow people who will receive and use your code to determine that you are, in fact, the publisher and that no one else has intentionally or accidentally modified your deliverable. Code signatures protect...

Thursday, October 10, 2013 | Read More

Signing applet code does not grant all-permissions (since 7u25)

There are two levels of authorization for Java applets and web start applications: sandboxed, where the application is limited in terms of actions it can take on users' computers, and all-permissions, where applications operate as though they were native, with full access to the system and its resources. In the old days of Java 6 and early days of Java 7, the rule was that only applications that required all-permissions needed to be signed. Since Java 7 update 21 (April 2013),...

Tuesday, September 17, 2013 | Read More

New security requirements for RIAs in 7u51 (January 2014)

Java 7 update 51 (January, 2014) intends to include two security changes designed to enhance authentication and authorization for Rich Internet Applications (Applets and Web Start). The default security slider is being updated in a way that will block RIAs that do not adhere to these requirements.  Note: this only applies to RIAs, and not to Java on server or desktop applications run outside of a browser. Summary: You are required to sign all RIAs (Applets and Web...

Monday, September 9, 2013 | Read More

Code signing: Understanding who and when

Code signatures have become more commonplace for applications in recent years and especially so in Java 7 update 21 (April 16, 2013). The security notifications for Java help provide your users with an understanding of who wrote the application so that they can decide whether to run it or not. Through the default settings of the Java security slider, end-users are blocked from running unsigned or self-signed applets and prompted for running signed applets. These cryptographic...

Tuesday, September 3, 2013 | Read More

Introducing Deployment Rule Sets

As the Java security model has hardened for browser-based applets, desktop administrators have asked for ways to manage version compatibility and security updates for their end-users. A new feature is being introduced in Java 7 update 40 called “Deployment Rule Set,” designed to address the issue of security and compatibility in browser applets without affecting normal back-end Java programs like Eclipse, Freemind, or Tomcat. Specifically this deployment rule set addresses two...

Wednesday, August 21, 2013 | Read More

Welcome!

Welcome to the Java Platform Group, Product Management blog.  Myself (Donald Smith), Aurelio Garcia-Ribeyro, Milton Smith, Dalibor Topic and Erik Costlow, are all Product Managers in the Java Platform Group which includes Java SE, JavaFX, Java ME and Javacard technology.  We, as well as others from time-to-time, will blog here on topics primarily related to Java SE (generally), Java Security (broadly), Usability and other related topics. Our goal here is to provide technically...

Friday, August 16, 2013 | Read More