Java's place on the desktop
Standard configuration allows runtime engine to be installed, but with some restrictions
CONTRARY TO CONCERNS voiced widely in the systems administration community, the Federal Desktop Core Configuration (FDCC) allows the use of Java and the Java Runtime Engine (JRE) that runs Web applets, federal technologists say.
Misperceptions about FDCC implementation rules prompted two industry organizations last month to cite problems about whether the guidelines tilt in favor of Microsoft products and against the company's competitors, they said.
The Software and Information Industry Association and the Information Technology Association of America recently sent letters to the Office of Management and Budget asking OMB to clarify the issue.
The FDCC is a preset secure configuration that OMB has required agencies to adopt by Feb. 1 when they install the Microsoft Windows XP and Vista operating systems. A standard configuration will improve security for federal agencies, making it easier for systems administrators to manage their desktops and rapidly distribute patches to fix vulnerabilities, experts say.
If Java, originally developed by Sun Microsystems, had been blocked, many agencies that use JRE applets in their business applications would have been affected.
However, the JRE can be installed on a computer during its initial configuration and remain inert, said Bill Vass, president at Sun's federal subsidiary.
With FDCC's setup, users must click on a box each time they want to run an applet, he said.
'Java is allowed but it cannot run automatically,' Vass said.
'When a Web site initiates it, it should ask, 'Do you want to run this Java application or not?' as opposed to running automatically.'
National Institute of Standards and Technology officials said that if Java and JRE are installed properly, users should not have to click on a box every time to run an applet. Once the proper version of JRE is securely installed, it can be pushed down to the desktop from a centralized management console. Systems administrators should adjust settings in Microsoft Internet Explorer 7 to allow Java to work from within IE. As a result, when a user goes to a Web site that requires Java, IE 7 will make a function call to JRE and allow the application to work, NIST officials said.
JRE can offer additional features that cannot be executed through standard HTML, software experts said. The software is similar to Adobe Flash and Microsoft's own ActiveX controls.
Vass noted that Java cannot access memory or the desktop, so it won't create security holes like Flash or Active X components do.
However, FDCC guidelines do not allow ActiveX controls to run by default, either. The specific settings related to Java and ActiveX are based on restrictive Defense Department mobile code policy, said Tim Grance, manager of NIST's systems and network security group.
NIST worked with the Air Force, Army, DOD, Microsoft, the National Security Agency and Homeland Security Department to develop the standard Windows configuration.
Tthe settings 'are fairly restrictive,' Grance said. 'But if people have a sensible, reasonable need to change those settings and they can appropriately secure those systems with other controls and methods, then they can make that kind of decision.'
Agencies won't get a free pass to change the settings, the NIST official said. Federal entities that seek different settings must state their cases for the change and submit them for review.
Meanwhile, Adobe Flash is a different matter. Flash is a plug-in, not a built-in component of operating systems such as ActiveX or Java. Individual agencies must decide to restrict or allow Flash, QuickTime and other multimedia browser plug-ins.
'We're not saying use any plugin whenever you want it,' Grance said. 'Like everything else, look at the mission about to be accomplished.'
'People should be giving strong deference to what's in the FDCC,' Grance said. 'It doesn't mean that nothing can ever be changed or modified. Give strong deference to what's there and change what you have a good, strong case to change.'Joab Jackson contributed to this story.