In our previous blog post, we explored a few of the advantages of using CheerpJ, a full OpenJDK-based Java Runtime Environment in WebAssembly and JavaScript, to run Java applications on modern browsers.
Today, we delve into the robust security measures that CheerpJ and WebAssembly bring to the table when running Java Applications on the Browser.
Java Application, Web Security Model:
CheerpJ is a JVM/JRE that runs entirely within the Browser. It comprises a JVM in WebAssembly, and a full build of the OpenJDK runtime environment, combining Java bytecode and WebAssembly/JavaScript ‘native’ components and emulation layers.
As such, Java applications (including Applets, Java Web Start and standalone) running on CheerpJ inherit the browser security model, with no changes required to the application effort from the developer. This translates into superior sandboxing and permission handling, as well as a plethora of web security mechanisms such as same-origin policy, cross-origin isolation, CSP, and many others.
By using WebAssembly-based tools to run Java, developers can bring this added layer of security to client-side applications, safeguarding against potential threats and vulnerabilities.
Sandboxing:
Java’s sandboxing capabilities provide a controlled environment for executing untrusted code, mitigating the risks of malicious attacks and exploits.
When combined with WebAssembly, this feature extends to the sandboxing provided by the browser, offering an extremely secure browsing experience for end-users without compromising performance or functionality.
Modern Permissions Handling:
The browser’s permission-based Web APIs mean that the end-user (or the organization managing the browsers) has full control over the extent to which the application can interact with the local operating system. This granular control over the permissions granted to client-side applications, independent of what the original Java Application was performing, is a significant security upgrade compared to a standard Java Desktop deployment.
Code Verification:
Java’s bytecode verification, combined with Web-based security mechanisms for checking asset integrity (e.g. Sub-Resource Integrity) ensures that the application being executed is verified, preventing code injection attacks and compromised origins.
In conclusion, a Browser-based JVM/JRE in WebAssembly like CheerpJ offers a powerful combination of robust security features for client-side Java applications inherited from the Web Security model. By harnessing the strengths of both Java and Wasm, developers can create secure, high-performance web applications that deliver an exceptional user experience while safeguarding against potential security threats. Equip your Java applications with the resilience of WebAssembly and embark on a journey of innovation and security in the digital realm!