Home > Bash scripting, Java, Mac OS X > Managing Safari’s Java whitelist

Managing Safari’s Java whitelist

Safari 6.0.4 and later (for Mac OS X 10.7.x and 10.8.x), and 5.1.9 and later (for Mac OS X 10.6.x) now prompts you to enable the Java browser plug-in on a website-by-website basis. When a Java applet is allowed, it is added to a whitelist in Safari’s Security settings.

This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. To help fix this and manage the Safari Java whitelist, I’ve written a couple of scripts. These scripts are designed to add websites to Safari’s Java whitelist without overwriting existing entries. For more details, see below the jump.

Update – 10-22-2013: These scripts do not work to manage the Java whitelist on Safari 6.1 and higher. If you are using either of these scripts, please do not use them with Safari 6.1 or higher on Mountain Lion or Mavericks as they may cause Safari to crash.

safari_java_whitelist_firstboot – This script is designed to be a firstboot script. It sets the Safari Java whitelist settings in your Mac’s default user template and for all existing users. Currently, it will add two servers to the Safari Java whitelist settings.


#!/bin/sh

# Adding two websites to Safari's Java whitelist in your Mac's default user template and for all existing users.
# Code adapted from DeployStudio's rc130 ds_finalize script, from the section where DeployStudio is disabling the iCloud and gestures demos

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Get today's date

TODAY=$(date "+%FT%TZ")

# Get Java plug-in info
JAVA_PLUGIN=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`

# Checks first to see if the Mac is running 10.6 or higher. 
# If so, the script checks the system default user template
# for the presence of the Library/Preferences directory.
#
# If the directory is not found, it is created and then the
# Java whitelist settings are created.

if [[ ${osvers} -ge 6 ]];
then
  for USER_TEMPLATE in "/System/Library/User Template"/*
  do
     if [ ! -d "${USER_TEMPLATE}"/Library/Preferences ]
      then
        /bin/mkdir -p "${USER_TEMPLATE}"/Library/Preferences
     fi
     if [ -d "${USER_TEMPLATE}"/Library/Preferences ]
      then

         # Add Server1 to Java whitelist

         /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server1.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server1.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'

         # Add Server2 to Java whitelist

         /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server2.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server2.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'
        
     fi
  done
fi


# Checks first to see if the Mac is running 10.6 or higher.
# If so, the script checks the existing user folders in /Users
# for the presence of the Library/Preferences directory.
#
# If the directory is not found, it is created and then the
# Java whitelist settings are created.

if [[ ${osvers} -ge 6 ]];
then
  for USER_HOME in /Users/*
  do
    USER_UID=`basename "${USER_HOME}"`
    if [ ! "${USER_UID}" = "Shared" ] 
    then 
      if [ ! -f "${USER_HOME}"/Library/Preferences ]
      then
        /bin/mkdir -p "${USER_HOME}"/Library/Preferences
        chown "${USER_UID}" "${USER_HOME}"/Library
        chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
      fi
      if [ -d "${USER_HOME}"/Library/Preferences ]
      then

         # Add Server1 to Java whitelist

         /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server1.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server1.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'

         # Add Server2 to Java whitelist

         /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server2.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server2.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'

        # Fix permissions on com.apple.Safari.plist

         /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/com.apple.Safari.*

      fi
    fi
  done
fi

# Remove setup LaunchDaemon item

srm /Library/LaunchDaemons/com.company.safari_java_whitelist_firstboot.plist

# Make script self-destruct

srm $0

safari_set_java_whitelist_at_login – The script will add two servers to the Safari Java whitelist settings. If the servers are already in the whitelist, it will note that in the log, then exit.

To make this work, I’ve written a script and launch agent combination. The LaunchAgent runs the script on login to any user account with the logging-in user’s privileges and permissions.


#!/bin/sh

# Get today's date
TODAY=$(/bin/date "+%FT%TZ")

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Get Java plug-in info
JAVA_PLUGIN=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`

# Check com.apple.Safari.plist for Server1 address
SERVER1_WHITELIST_CHECK=`/usr/bin/defaults read $HOME/Library/Preferences/com.apple.Safari WhitelistedBlockedPlugins | grep PluginHostname | awk '{print $3}' | grep server1.name.here | tr -d '";'`

# Check com.apple.Safari.plist for Server2 address
SERVER2_WHITELIST_CHECK=`/usr/bin/defaults read $HOME/Library/Preferences/com.apple.Safari WhitelistedBlockedPlugins | grep PluginHostname | awk '{print $3}' | grep server2.name.here | tr -d '";'`

if [[ ${osvers} -ge 6 ]]; then
  if [[ -n ${SERVER1_WHITELIST_CHECK} ]]; then

        # Server1 settings are present
	    /usr/bin/logger "${SERVER1_WHITELIST_CHECK} is part of the Java whitelist in Safari. Nothing to do here."
    else	    
		# Add Server1 to Java whitelist
        /usr/bin/defaults write $HOME/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server1.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server1.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'
        /usr/bin/logger "server1.name.here has been added to the Java whitelist in Safari."
  fi

  if [[ -n ${SERVER2_WHITELIST_CHECK} ]]; then

		# Server2 settings are present
		/usr/bin/logger "${SERVER2_WHITELIST_CHECK} is part of the Java whitelist in Safari. Nothing to do here."
     else		
        # Add Server2 to Java whitelist
		/usr/bin/defaults write $HOME/Library/Preferences/com.apple.Safari "WhitelistedBlockedPlugins" -array-add '{"PluginHostname" = "server2.name.here"; "PluginIdentifier" = "'$JAVA_PLUGIN'"; "PluginLastVisitedDate" = "'$TODAY'"; "PluginName" = "Java Applet Plug-in"; "PluginPageURL" = "https://server2.name.here"; "PluginPolicy" = "PluginPolicyNeverBlock";}'
        /usr/bin/logger "server2.name.here has been added to the Java whitelist in Safari."
  fi

fi

exit 0

Of the two approaches, I recommend using the safari_set_java_whitelist_at_login script and LaunchAgent. The reason is that the script will then run for all users (both current and future) and the script itself can be updated as needed to add or remove items.

Both scripts are available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/safari_java_whitelist

Credit goes to @aurica for figuring out the needed defaults commands.

Categories: Bash scripting, Java, Mac OS X
  1. cashxx
    April 19, 2013 at 6:58 pm

    Why isn’t this whitelist manageable with MCX?? That would be the correct way, looks like it was thrown in not thinking of the enterprise.

    • April 19, 2013 at 7:22 pm

      cashxx,

      If you’re managing Safari with MCX, you can also manage this whitelist with MCX. I’m not going that route, but that doesn’t mean it’s not possible.

      • cashxx
        April 19, 2013 at 8:24 pm

        I didn’t see the option in there to manage it will look into it again a little further…..

  2. cashxx
    April 19, 2013 at 8:31 pm

    Oops my bad…..WhitelistedBlockedPlugins is the key I believe.

  3. Antoine Kinch
    October 23, 2013 at 9:32 pm

    Hey Rich, anyway to enable java in a whitelist for specific websites like this with Safari 6.1?

  4. Antoine Kinch
    October 23, 2013 at 9:33 pm

    It worked GREAT with Safari 6.0.5!

  5. duke
    April 28, 2014 at 10:59 pm

    Hey Rich, wondering if you have tips on how to handle this with the latest version of Safari. The script does seem to work in adding items to the white list, however I still see the Blocked Plug-In message when visiting java.com/verify (java.com set to Always in my Safari prefs).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: