Managing Oracle’s Java Exception Site List
Oracle’s Java 7 Update 51 has introduced new security requirements for browser plugins for applets and web start applications. However, not all applets are able to run using the new requirements. To help with this, Oracle has included a way to whitelist specific sites using Java 7’s new Exception Site List. This allows the applets and web start applications hosted on the specified sites to continue to work, even if they don’t meet the new security requirements in Java 7.
On Mac OS X 10.7 and higher, the Exception Site List is a plaintext file named exception.sites, which is stored in /Users/username/Library/Application Support/Oracle/Java/Deployment/security.
To help Mac admins manage the Exception Site List, I’ve written a script which is designed to add websites to Oracle’s Java 7’s Exception Site List without overwriting existing entries. For more details, see below the jump.
Since these settings are stored on a per-user basis, I’ve written a script and launch agent combination. The LaunchAgent runs the script on login to any user account with the logging-in user’s privileges and permissions.
As written, the script will add two servers to the Oracle Java Exception Site List. If the servers are already in the whitelist, it will note that in the log, then exit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # This script will add two servers to the Oracle Java Exception Site List. | |
| # If the servers are already in the whitelist, it will note that in the log, then exit. | |
| # More servers can be added as needed. The existing server entries can also be set to be | |
| # empty (i.e. SERVER2='') as the script will do a check to see if either SERVER value | |
| # is set to be null. | |
| # Server1's address | |
| SERVER1='http://server.name.here' | |
| # Server2's address | |
| SERVER2='https://server.name.here' | |
| LOGGER="/usr/bin/logger" | |
| WHITELIST=$HOME"/Library/Application Support/Oracle/Java/Deployment/security/exception.sites" | |
| SERVER1_WHITELIST_CHECK=`cat $HOME"/Library/Application Support/Oracle/Java/Deployment/security/exception.sites" | grep $SERVER1` | |
| SERVER2_WHITELIST_CHECK=`cat $HOME"/Library/Application Support/Oracle/Java/Deployment/security/exception.sites" | grep $SERVER2` | |
| JAVA_PLUGIN=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier` | |
| if [[ ${JAVA_PLUGIN} != 'com.oracle.java.JavaAppletPlugin' ]]; then | |
| ${LOGGER} "Oracle Java browser plug-in not installed" | |
| exit 0 | |
| fi | |
| if [[ ${JAVA_PLUGIN} = 'com.oracle.java.JavaAppletPlugin' ]]; then | |
| ${LOGGER} "Oracle Java browser plug-in is installed. Checking for Exception Site List." | |
| if [[ ! -f "$WHITELIST" ]]; then | |
| ${LOGGER} "Oracle Java Exception Site List not found. Creating Exception Site List." | |
| # Create exception.sites file | |
| touch "$WHITELIST" | |
| # Add needed server(s) to exception.sites file | |
| if [[ -n ${SERVER1} ]]; then | |
| /bin/echo "$SERVER1" >> "$WHITELIST" | |
| fi | |
| if [[ -n ${SERVER2} ]]; then | |
| /bin/echo "$SERVER2" >> "$WHITELIST" | |
| fi | |
| exit 0 | |
| fi | |
| if [[ -f "$WHITELIST" ]]; then | |
| ${LOGGER} "Oracle Java Exception Site List Found." | |
| if [[ -n ${SERVER1_WHITELIST_CHECK} ]]; then | |
| # Server1 settings are present | |
| ${LOGGER} "${SERVER1_WHITELIST_CHECK} is part of the Oracle Java Exception Site List. Nothing to do here." | |
| else | |
| # Add Server1 to exception.sites file | |
| if [[ -n ${SERVER1} ]]; then | |
| /bin/echo "$SERVER1" >> "$WHITELIST" | |
| ${LOGGER} "$SERVER1 has been added to the Oracle Java Exception Site List." | |
| fi | |
| fi | |
| if [[ -n ${SERVER2_WHITELIST_CHECK} ]]; then | |
| # Server2 settings are present | |
| ${LOGGER} "${SERVER2_WHITELIST_CHECK} is part of the Oracle Java Exception Site List. Nothing to do here." | |
| else | |
| # Add Server2 to exception.sites file | |
| if [[ -n ${SERVER2} ]]; then | |
| /bin/echo "$SERVER2" >> "$WHITELIST" | |
| ${LOGGER} "$SERVER2 has been added to the Oracle Java Exception Site List." | |
| fi | |
| fi | |
| fi | |
| fi | |
| exit 0 |
The script and launchagent are available here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/oracle_java_whitelist
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Wondering if you could help me understand this a little better? I put for testing this new feature “http://www.java.com/en/” and “https://www.java.com/en/” in the whitelist. Now, when I go to those sites, I get errors and Java won’t load. Calling Java frustrating is an understatement! Thanks for any insights. I really appreciate all the sharing you do here and on JN!
Rich, I’m curious to hear your take on whitelist vs Deployment Rule Sets. If I am reading this correctly, these are two different means to a similar end, with Oracle suggesting that sysadmins leverage DRS for greater extensibility and signing capability (?).
Source: https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
Deployment Rule Sets are fine, but building them assumes the following:
1. You can build a .jar file
2. You have properly set up the XML ruleset
3. You have access to a valid certificate that can be used to sign the .jar. Self-signing won’t work.
In contrast, adding to the whitelist assumes the following:
1. You can add properly formatted entries to a plaintext file
Speaking for myself, managing the whitelist is a lot easier and gives me the desired results.
Hi Rich,
For what it’s worth, you can use a self-signed certificate as long as you add it to the trusted cacerts keystore prior to enabling the Deployment Rule Set. I wrote a script for adding such a certificate to the keystore, which can be found here:
https://github.com/futureimperfect/futureimperfect_scripts/blob/master/add_self-signed_cert_to_java_cacerts.sh
I agree that using a plaintext file to manage this is much easier, though.
Thanks for the great post!
Great job… a LOT of bioinformatics tools are realized with Java technologies and since Lion things have become messy.
Every once in a while (typically after an OSX o a Java update) colleagues calls me to re-enable the java plugin/VM execution on their workstations
This is a great reference. We generally have 1:1 deployments so I was able to nix the LaunchAgent and just update the $HOME variable to be last known user from console. Ex:
USER=`ls -l /dev/console | cut -d ” ” -f 4`
HOME=”/Users/”$USER
I’m finding that this does, indeed, add the Java exceptions,but it does it (through Casper) as root, so the user can’t modify the exceptions. Also, I still need to control the Security Level to avoid various popups and such. Are both of these options possible?
Is this specific for Java 7 or will it work for Java 8 too?
Where do I put the Launch Agent? It’s in System/Library/LaunchAgent but it’s only working for the local admin account. I log in with my AD account and the list is not populating.
The path that your script refers to isn’t created until you open the Java Control Panel. I’m adding one line to your script (in my use):
mkdir ~/Library/Application\ Support/Oracle/Java/Deployment/security