How To Add Exception Site List In Java Windows 10
Savage Doherty
This topic describes the Exception Site List feature, which provides a way for users to run Rich Internet Applications (RIAs) that otherwise would be blocked by security checks. The criteria used to determine if RIAs are allowed to run are becoming stricter. In some cases it might be difficult to update legacy RIAs to meet the security requirements and prevent them from being blocked. This feature enables users to continue to run these RIAs.
The exception site list contains URLs for sites that host RIAs that users want to run. RIAs that are launched from sites in the exception site list are allowed to run with the appropriate security prompts, even in the following circumstances, which would normally cause the RIA to be blocked:
The exception site list also allows JavaScript code to call Java code (LiveConnect) without prompting the user for permission when the JavaScript code and the Java code are located on a site in the list.
The exception site list is managed in the Security tab of the Java Control Panel which is described in Section 20.4, "Security." The list is shown in the tab. To add, edit, or remove items from the list, click Edit Site List and follow the directions in Add a URL, Edit a URL, and Remove a URL.
Wildcards are not supported. If the path ends with a slash (/), for example, , RIAs in that directory and any subdirectory are allowed to run. If the path does not end with a slash, for example, , only that specific RIA is allowed to run.
Add a site to the exception site list only if you trust the entire site. Even if a path is specified, adding a site that might contain other untrusted paths could present a security risk and is not recommended.
The location of the exception site list is set in the deployment.user.security.exception.sites property. The default location is /security/exception.sites. See Chapter 21, "Deployment Configuration File and Properties" for information on properties and property files.
Users can manage a list on their system, or use a list managed by a system administrator in a central location. If a system administrator does not want users to edit the exception site list, the deployment.user.security.exception.sites property can be set to a file for which users do not have write permission. If a user cannot write to the exception site list, the list is shown in the Java Control Panel, but the controls for editing are not available in the Exception Site List window.
To prevent users from using a different exception site list than the list set up by a system administrator, the deployment.user.security.exception.sites property can be locked. See Section 21.2, "Deployment Configuration Properties" for information on locking system properties.
We manage our Windows Oracle Java 7 and Java 8 exceptions with Group Policy (GPO). This manages a global Java directory that all local user accounts read from. This way each individual user account doesn't have to be touched.
Note: I don't want to mess with Oracle's suggested "Deployment Rule Sets" because I don't have the time or staff to manage certificates, XML files, .JAR files etc. Too much work for the (5) URLS I need to have whitelisted here in my company.
It has an added benefit that IT doesn't want people to add their own exceptions, so I can "lock" the master exception.sites file so nobody can write to it. Not sure if this will work. Playing with it today on some test Macs running Java 8.
I don't have Casper Suite (yet) so I have no way to get my Macs to "check-in" and fetch an updated exception.sites file at this time. So I need to have a best practice routine in place to verify/edit this file as needed.
So now my existing users will all get a curated "global" exception list that I can manage from one central location, using ARD launchd SSH or Casper Suite, I will be able to update this master exception.sites accordingly.
I'm testing this now, and will probably going to go with the FEU/FUT method as I think our list of sites won't change much once we get it set up properly, but it is so unfortunate this can't be managed via managed profile centrally.
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. Learn about Jamf.
This site contains User Content submitted by Jamf Nation community members. Jamf does not review User Content submitted by members or other third parties before it is posted. All content on Jamf Nation is for informational purposes only. Information and posts may be out of date when you view them. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Nation.
So interesting tidbit today; while trying to connect to a system via the RMM IPMI tool for the grid; we sometimes have to add in exclusions to the Java Security context so we can connect (this was to fix the underlying certificate).
From the above page though; we can confirm the system shows: active Deployment Rule Set on the grid. In researching this has the files: ruleset.xml and the DeploymentRuleSet.jar file on the grid. This then would be installed on the grid in the location:
Long term though or other methods to assist could be to install alternate java versions, check the security context that the rule is for and correct (in my case I was connecting to the IPMI module to update an expired certificate which was flagged by this rule) or work with your IT team to have exceptions for needed items.
All content provided on this blog is for informational purposes only. I make no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. I will not be liable for any errors or omissions in this information nor for the availability of this information. I will not be liable for any losses, injuries, or damages from the display or use of this information.
The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by any company mentioned and does not necessarily reflect the views and opinions of those companies nor does it constitute any official communication therein.
On one of our computers, the Security Tab in the Java Control Panel sometimes looks like this:
As you can see, the part required to manage the exception site list is missing/not accessible. I have no idea why (reinstalling Java did not help).
However, you can also add exceptions by directly editing the exception.sites file. Under Win 7, it is normally found in the C:\Users\*YOUR USERNAME*\AppData\LocalLow\Sun\Java\Deployment\security directory. Simply add a new line for each URL (e.g. ), save the file, then restart the browser.
Oracle has said the exception.sites file is meant to be for users to manage while the deployment.ruleset is for users to manage. By default, exception.sites lives in the users profile at this path:C:\Users\UserName\AppData\LocalLow\Sun\Java\Deployment\Security
The second file you need is deployment.properties. This file lists all the properties the admin has set for the computer. By default, there are no settings set so the file will probably not exist. Create it and put this line in:
This line of code tells Java to use the exception.sites file in C:WindowsSunJavaDeploymentexception.sites instead of the user one. Make sure this file is in a location your users have read access to or this will not work. Also, if you set this and a user has write access to the file, they will be able to change the site list for all users who log into the computer. Java will not use the exception.sites list in their profile anymore.
Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!
I have followed instructions in all the other threads and nothing has worked. I tried safe mode and that did not work either, I went into the page permissions and activated everything for that page and still no luck.
Ok, your last comment got me there! Thanks. It seems that in some x64 based systems when you go through the windows control panel to access the java control panel it actually opens a different java control panel. But if you search java in the start menu you can "configure java" and that will get you to the proper window to add the exception. Thank you for your help!
I am never prompted to allow or deny the program, it just blocks it. The newest java doesn't have the exception list options in the java control panel. I have changed my security settings through tools> page info> Permissions and it still blocks it automatically
The exception site list is managed in the Security tab of the Java Control Panel. The list is shown in the tab. To add, edit or remove a URL from list, click Edit Site List and follow the directions shown.
Had to install a new hard drive and tried to install the most current version of Powerchute Business Edition, but it wouldn't find the UPS. Reverted back to the disk that came with the UPS and it sees it, but when I tried to log in to the web interface I get a pop up that says it's blocked the loginapplet.
It does this regardless of the browser. I'm running Kaspersky Internet Security and tried with it disabled to no avail. This pop up doesn't look like KIS. I've checked Windows Firewall (which Kaspersky hooks into) and I can see the exceptions listed for Powerchute. o
d3342ee215