Home > Java, Mac administration, Scripting > Managing Oracle’s Java Exception Site List

Managing Oracle’s Java Exception Site List

Oracle’s Java 7 Update 51 has introduced new security requirements for browser plugins for applets and web start applications. However, not all applets are able to run using the new requirements. To help with this, Oracle has included a way to whitelist specific sites using Java 7’s new Exception Site List. This allows the applets and web start applications hosted on the specified sites to continue to work, even if they don’t meet the new security requirements in Java 7.

On Mac OS X 10.7 and higher, the Exception Site List is a plaintext file named exception.sites, which is stored in /Users/username/Library/Application Support/Oracle/Java/Deployment/security.

To help Mac admins manage the Exception Site List, I’ve written a script which is designed to add websites to Oracle’s Java 7’s Exception Site List without overwriting existing entries. For more details, see below the jump.

Since these settings are stored on a per-user basis, I’ve written a script and launch agent combination. The LaunchAgent runs the script on login to any user account with the logging-in user’s privileges and permissions.

As written, the script will add two servers to the Oracle Java Exception Site List. If the servers are already in the whitelist, it will note that in the log, then exit.

The script and launchagent are available here on my GitHub repo:


  1. Scott
    January 16, 2014 at 5:49 pm

    Wondering if you could help me understand this a little better? I put for testing this new feature “http://www.java.com/en/” and “https://www.java.com/en/” in the whitelist. Now, when I go to those sites, I get errors and Java won’t load. Calling Java frustrating is an understatement! Thanks for any insights. I really appreciate all the sharing you do here and on JN!

  2. January 23, 2014 at 3:43 pm

    Rich, I’m curious to hear your take on whitelist vs Deployment Rule Sets. If I am reading this correctly, these are two different means to a similar end, with Oracle suggesting that sysadmins leverage DRS for greater extensibility and signing capability (?).
    Source: https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

    • January 23, 2014 at 4:16 pm

      Deployment Rule Sets are fine, but building them assumes the following:

      1. You can build a .jar file
      2. You have properly set up the XML ruleset
      3. You have access to a valid certificate that can be used to sign the .jar. Self-signing won’t work.

      In contrast, adding to the whitelist assumes the following:

      1. You can add properly formatted entries to a plaintext file

      Speaking for myself, managing the whitelist is a lot easier and gives me the desired results.

  3. February 2, 2014 at 10:57 am

    Great job… a LOT of bioinformatics tools are realized with Java technologies and since Lion things have become messy.

    Every once in a while (typically after an OSX o a Java update) colleagues calls me to re-enable the java plugin/VM execution on their workstations

  4. February 12, 2014 at 5:48 pm

    This is a great reference. We generally have 1:1 deployments so I was able to nix the LaunchAgent and just update the $HOME variable to be last known user from console. Ex:

    USER=`ls -l /dev/console | cut -d ” ” -f 4`

  5. February 3, 2015 at 4:24 pm

    I’m finding that this does, indeed, add the Java exceptions,but it does it (through Casper) as root, so the user can’t modify the exceptions. Also, I still need to control the Security Level to avoid various popups and such. Are both of these options possible?

    Is this specific for Java 7 or will it work for Java 8 too?

  6. Ryan Taylor
    March 23, 2015 at 8:14 pm

    Where do I put the Launch Agent? It’s in System/Library/LaunchAgent but it’s only working for the local admin account. I log in with my AD account and the list is not populating.

  7. john yang
    July 27, 2015 at 6:53 pm

    The path that your script refers to isn’t created until you open the Java Control Panel. I’m adding one line to your script (in my use):

    mkdir ~/Library/Application\ Support/Oracle/Java/Deployment/security

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: