I have some non-trivial computational code that need to be applied on data already downloaded into the browser DOM and captured from user interactions. I do not wish to expose this code. I am wondering if:
- Write a webservice and communicate with the browser over websocket or HTTP. The trade-off is speed of interaction (from slick to poor) and higher traffic costs.
- Write a Java applet (signed to hide the code) that encapsulates logic within the page and let JavaScript interact with the Java API. I read elsewhere that the Java and JavaScript engine can deadlock in certain scenarios. However, since I am only computing, this is a non-issue. Maybe, on multi-core machines I could divvy up my work using a few more threads.
- Write in JavaScript. But JavaScript is difficult to test, and it’s all in public eye.
Q&A such as Usability of Java applets on the web and several others are also discouraging.
Are Java applets a dead technology? There aren’t even Q&A on this topic these days! Additionally, Java may not always be bundled with all browsers (desktop, tablet or mobile)?
Are there better ways to accomplish the same like hide code, utilize client CPU/RAM, minimize data traffic?
The web pages are on JavaScript, HTML5, and CSS. The server only dishes out JSON and XML. The data packets are 10-20 KB and updated frequently. The computations are expensive and client-specific, so I would really like to use the client to do all that.
Advertisement
Answer
I thinks the biggest disadvantage of an applet is that it assumes you have a JRE installed on a client machine. Is it really a viable assumption?
Of course, you can offer to download and install JRE as well, but why bother doing all this only for making some computation? Another question I would ask myself, can your clients be mobile phones, tablets and so on? If so, maybe JavaScript is a better option to go with.
And yet another two cents 🙂 You mentioned ‘opened to eye JavaScript’ You should understand that the only real way of protecting your computation code is putting the computation on server. I mean, that even if you have a compiled binary code, Java’s assembly is easy-to-understand for a skilled attacker. And obfuscation that you mentioned (it’s obfuscation, not signing a JAR file) makes it slightly harder, but still not impossible.
The only concern I see here is that if you have a lot of clients that are running the computation simultaneously and you put the burden of computation on your server it can collapse eventually.