java - Without modifying the JRE source code, is there a way to cause the Java VM to only execute local code?

Question

It's my understanding that a lot of the Java VM security issues involve holes in the VM sandboxing mechanism that permit remotely sourced applications to break out and do naughty things to a client machine (not to be confused with a program someone downloads from the web and runs locally - in that case it's up to the user to make sensible choices about what to install and execute). As far as I can tell, the stock JREs available from Oracle are all hard-wired to allow the user to run code from the web. Is there some way to change this behavior? I checked the Java security settings and the 'max' setting still permits the execution of web-sourced code.

I'm asking because I'm working on a desktop application for which I'd like to take advantage of the extensive set of Apache language processing packages currently available. However, given all the security issues with Java, lots of folks are getting rid of it all together, which will hurt our ability to deploy the application to organizations with security policies that prevent Java from being installed on their computers.

So is there a pre-existing solution to this or am I going to have to hack a safer Java VM?

Answer 1

Any Java code that is "run from the web" is launched via the web browser. If you disable Java in the web browser, you've effectively disabled "running from the web".

Java provides instructions for disabling "Java content in the browser" for all browsers at once via the Java control panel, and for disabling it in individual browsers. Hint: This works on both Windows and Mac.

One thing that you may find useful is that the currently recommended way of distributing Java desktop applications on the Mac is to include a full JRE in the application bundle, especially since Java web browser integration is disabled by default on the Mac. This way you're not even dependent on a JRE being installed on the OS.

If only Windows had application bundles, but you may be able to do something similar on Windows. As far as I understand, Java is self-contained in the JRE folders. It's not dependent on other programs or registry entries if you're not expecting browser integration. You should be able to copy a JRE to their hard drive and launch from there.

Locally bundled JREs like this would not be integrated with the operating system, web browsers would not be aware of them, and thus they would not provide the ability to "run from the web".

It's unfortunate that customers are not able to understand this distinction and refuse to install a JRE on the system, which is harmless by itself (with browser integration disabled). Yet, if they find out that you're "installing Java" on their system, you may be out of luck.