Java 1.7u51 plugin blocks unsigned applets

The Java plugin refuses to run unsigned applets, starting with version 1.7u51. It shows the message "Application blocked by security settings", and no visible option to override this limitation.

You have been warned: I told you so in October 2013, Java version 1.7u45 displayed a message on each run of unsigned applets, and Oracle announced the change at least twice.

The best short term solution is to get a new version of the applet, that is hopefully signed with a digital certificate, like described here.

If this is not possible, you can create Deployment Rule Sets (Introduction, Technote), which also requires a digital certificate, or an exception list, or change the security setting of Java from high to medium. The latter will of course make having a Java plugin in the web browser even more dangerous.

Here are three methods to create a whitelist ("exception list"):

  • manually per user: Run the Control Panel of Java (see below where to find this), select the security tab, click on "Manage Site List", do not type anything into the box, instead click on "Add", then type into the tiny line.

  • automatic per user: Deploy a plain text file with one URL per line with filename 'exception.sites' to the profile directory of each user, which is '%APPDATA%\Sun\Java\Deployment\security' in Windows XP, and '%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security' in Windows 7. One way to do this is to put the exception file and this script CopyJavaWhitelist.cmd into the allusers-autostart-directory. Warning: existing entries created by the users will be overwritten each time this script runs, i.e. on every login. But even simpler is the next item:

  • automatic for all users: Deploy one global whitelist file 'exception.sites' (see above) by declaring its path in the System-level "Deployment Properties" file '%windir%\Sun\Java\Deployment\deployment.properties'. It seems that this even allows to put the whitelist on a network share.
    Sample contents:
    deployment.user.security.exception.sites=C:/Windows/Sun/Java/Deployment/exception.sites
    (attention: must use either forward slash, or double blackslashes \\)
    Note that deploying files through GPO to Windows-XP requires KB943729, but even then it does not work in my tests.

More infos: Deployment Configuration File and Properties, Deployment Rule Set.

Here are two methods to change the security level:

  • Go to the security tab of the Control Panel of Java, move the lever down, click OK.

  • Install Java with the install option WEB_JAVA_SECURITY_LEVEL=M. This can be specified as command line argument for the installer (as described in this technote), or can be inserted as property into the MSI-file, see my webpage about java.msi.

Howto find the Control Panel of Java:
This is not in the Control Panel of Windows any more, instead it is now in the Start Menu as "Configure Java". Alternatively search for and run the program javacpl.exe. More info here.

Do not keep using an old version of Java. It not only has many security vulnerabilities, it also has an expiration date in February 2014.

By the way, Google even plans to completely remove NPAPI (the plugin architecture needed for Java) from Chrome by the end of the year 2014. Chromium plans to already remove it in April 2014. Firefox blocks all NPAPI plugins since version 26 (but does so far allow to override the block).

The best solution is to find other ways to get your work done, without requiring Java applets in the web browser!

News

There are reports that the exclusion list does not work if there is both the 32bit and the 64bit version of Java installed. The problem went away when both were uninstalled, and then only one of them re-installed.

Firefox

Users of Firefox suffer from two blocks: first Firefox blocks Java, then Java blocks itself. The block from Firefox can be disabled (at least for the latest version of the Java plugin) either by setting the preference "plugin.state.java" to 2, or by creating a whitelist with the addon "click-to-play-manager".


Modifications:
2014-04-23 fix filename for deployment.properties
2014-04-19 put whitelist on network share?
2014-04-16 global whitelist for all users
2014-01-29 info for Firefox users
2014-01-17 'news' section
2014-01-15 deployment rule set
2014-01-14 the version number is 51, not 60 as I had expected