Java Runtime Environment atau yang sering disebut JRE adalah sebuah software yang memungkinkan Anda untuk menjalankan aplikasi yang disebut "applet" yang ditulis dalam bahasa pemrograman Java. Applet ini memungkinkan anda untuk menggunakan berbagai aplikasi yang membutuhkan Java pada pada komputer anda seperti game online, chatting dengan orang di seluruh dunia, menghitung bunga hipotek Anda, dan melihat gambar dalam 3D. Ini juga bagian integral dari aplikasi intranet dan solusi e-bisnis lain yang merupakan dasar dari komputasi perusahaan.
Java Plug-in teknologi, termasuk sebagai bagian dari Java 2 Runtime Environment, Standard Edition (JRE), membentuk koneksi antara browser populer dan platform Java. Java Runtime Environment ditujukan untuk pengembang perangkat lunak dan vendor untuk mendistribusikan dengan aplikasi mereka. Banyak aplikasi lintas platform juga memerlukan Java untuk beroperasi dengan baik. J2SE Java Runtime Environment (JRE) memungkinkan pengguna akhir untuk menjalankan aplikasi Java.
Fitur JRE :
· Menulis perangkat lunak pada satu platform dan menjalankannya pada hampir semua platform lain
· Membuat program untuk dijalankan dalam browser web dan layanan web
· Mengembangkan aplikasi server-side untuk forum online, toko, jajak pendapat, pengolahan bentuk HTML, dan lebih
· Combine Java aplikasi atau layanan berbasis teknologi untuk menciptakan aplikasi atau layanan yang sangat disesuaikan
· Menulis aplikasi yang kuat dan efisien untuk ponsel, prosesor terpencil, produk konsumen murah, dan praktis perangkat dengan detak jantung digital
Yang Baru dari JRE :
ENHANCEMENTS AND CHANGES:Certificate Revocation:· Before signed Java applets and Java Web Start applications are run, the signing certificate is checked to ensure that it has not been revoked. Advanced options in the Java Control Panel(JCP) can be set to manage the checking process. For more information on these options, see the Advanced section of the Java Control Panel documentation.
· Under normal circumstances revocation checking will have a slight impact on startup performance for applets and web start applications. Enterprises with managed networks and without access to the Internet (resulting in no access to the revocation services provided by Certificate Authorities) will see a significant delay in startup times.
· To avoid such delay, they may choose to disable on line revocation checking through the JCP. Note that disabling on line revocation checking should only be considered in managed environments as it decreases security protections.
New JAR Manifest File Attributes:· JDK 7u25 release introduces the permissions and codebase attributes in the JAR Manifest File. These attributes are used to verify that the application is requesting the correct permissions level and is accessed from the correct location.
· Developers are advised to utilize at least the new permissions attribute, and if possible the codebase attribute as well. In future releases, applications that do not include these protections may be blocked or subjected to additional warning dialogs.
Best Practices for Applet & Web Start Deployment:As a result of various security changes and improvements, the following best practices are recommended for Applet and Web Start deployment:· Sign all JAR files using a Public Key Code Signing Certificate.
· In the application jar manifest file include the permissions keyword with the desired permissions level, and if possible the codebase attribute as well.
LiveConnect Blocked under Some Conditions:· LiveConnect calls from JavaScript to Java API are blocked when the Java Control Panel security slider is set to Very High level, or when the slider is at the default High level and the JRE has either expired or is below the security baseline.
New property for Secure Validation of XML:· To avoid potential security issues with XML signatures, a secure validation mode has been added whereby signatures that contain potentially hostile constructs are rejected and not processed.
· For this purpose, the following new private property is added to the JDK: org.jcp.xml.dsig.secureValidation
· The property can be set by an application by calling the setProperty method of the javax.xml.crypto.dsig.dom.DOMValidateContext class with the name of the property above and a Boolean value.
· When set to true, this property instructs the implementation to process XML signatures more securely. This will set limits on various XML signature constructs to avoid conditions such as denial of service attacks.
· When not set, or set to false, the property instructs the implementation to process XML signatures according to the XML Signature specification without any special limits.
· If a SecurityManager is enabled, the property is set to true by default.
Java API Documentation Updater Tool:· To address CVE-2013-1571, users hosting publicly facing Java API Documentation generated with javadoc 5u45, 6u45, 7u21 or earlier are strongly encouraged to re-create the Java API documentation using javadoc from 7u25 or above.
· Alternatively, for convenience of users and for those who have further modified the generated documentation, Oracle provides the Java API Documentation Updater, a repair-in-place tool.
· Source code is available with the download if you have a non-standard environment. The Java API Documentation Updater Tool is a separate download and not included in any JDK/JRE bundles. Please also see important information related to the javadoc tool in the Known Issues section.
Help for Security Dialogs:· A More Information link is added to the various security dialogs that may pop up prior to launching an applet or Java Web Start as a means for the user to get more information about the dialog.
Changes to Runtime.exec:· On the Windows platform, the decoding of command strings specified to java.lang.ProcessBuilder and the exec methods defined by java.lang.Runtime, has been made stricter since JDK 7u21. This may cause problems for applications that are using one or more of these methods with commands that contain spaces in the program name, or are invoking these methods with commands that are not quoted correctly. For more information see JDK 7u21 Release Notes.
· In JDK 7u25, the system property jdk.lang.Process.allowAmbigousCommands can be used to relax the checking process and may be used as a workaround for some applications that are impacted by the stricter validation. The workaround is only effective for applications that are run without a security manager. To use this workaround, either the command line should be updated to include -Djdk.lang.Process.allowAmbigousCommands=true or the java application should set the system property jdk.lang.Process.allowAmbigousCommands to true.
· Quoting and escaping commands on Windows platform is complicated. The following examples may be useful to developers if they are impacted by the stricter validation.
BUG FIXES:· Area: deploy/plugin
· Synopsis: In-consistent behavior with remote/local policy file with ALL permission.
· Both signed and unsigned applets with local or remote policy files with ALL permissions were not behaving as expected.
· The behavior was due to honoring JCP security levels.
· Area: security-libs/java.security
· Synopsis: Improve on checking order
· The implementation of java.security.AccessController.doPrivileged(PrivilegedAction, AccessControlContext) and AccessController.doPrivileged(PrivilegedExceptionAction, AccessControlContext) have been modified to improve security.
· Area: core-libs/java.util.logging
· Synopsis: Remove the stack search for a resource bundle for Logger to use
· The java.util.logging.Logger class no longer does stack walk search for a logger's resource bundle. The stack walk search was intended as a temporary measure to allow containers to transition to using the context class loader and was specified to be removed in a future release. It will use the thread context class loader (if not set, use the system class loader) to look up the resource bundle and, if not found, it will fall back to use the class loader of the caller class that creates the Logger instance (via the Logger.getLogger() and Logger.getAnonymousLogger() method with a given resource bundle name).
