This topic describes the Exception Site List feature, which provides a way for users to run Rich Internet Applications (RIAs) that otherwise would be blocked by security checks. The criteria used to determine if RIAs are allowed to run are becoming stricter. In some cases it might be difficult to update legacy RIAs to meet the security requirements and prevent them from being blocked. This feature enables users to continue to run these RIAs.
The exception site list contains URLs for sites that host RIAs that users want to run. RIAs that are launched from sites in the exception site list are allowed to run with the appropriate security prompts, even in the following circumstances, which would normally cause the RIA to be blocked:
RIA is not signed with a certificate from a trusted certificate authority
RIA is hosted locally
JAR file does not have the Permission manifest attribute
RIA is signed with an expired certificate
Certificate used to sign the RIA cannot be checked for revocation
The exception site list also allows JavaScript code to call Java code (LiveConnect) without prompting the user for permission when the JavaScript code and the Java code are located on a site in the list.
Note: If an active deployment rule set is installed on the system, the deployment rules take precedence over the exception site list. The exception site list is considered only when the default rule applies. See Chapter 28, "Deployment Rule Set" for information about deployment rules. |
This topic contains the following sections:
The exceptions granted by the Exception Site List feature apply to RIAs whose entry point is included in the list:
For applets, the URL for the document base of the applet must be in the list.
For Java Web Start applications, the URL for the main JNLP file must be in the list. If the URL for the main JNLP file cannot be determined, then the exceptions do not apply to the RIA.
If the RIA requires resources from another domain, that domain must also be included in the exception site list. Otherwise, the RIA is blocked when the additional resource is accessed.
The exception site list is managed in the Security tab of the Java Control Panel which is described in Section 20.4, "Security." The list is shown in the tab. To add, edit, or remove items from the list, click Edit Site List and follow the directions in Add a URL, Edit a URL, and Remove a URL.
To add a URL to the exception site list, follow these steps:
Click Add in the Exception Site List window.
Type the URL into the empty field that is provided under Location.
Continue to click Add and enter URLs until your list is complete.
Click OK to save the URLs that you entered. If you click Cancel, the URLs are not saved.
The following rules apply to the format of the URL:
A protocol is required.
Supported protocols are FILE
, HTTP
, and HTTPS
. HTTPS
is recommended. If the protocol is not HTTPS
, a warning is shown. Click Continue to add the URL, or click Cancel to discard the URL.
A domain is required.
Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, //www.example.com
and http://www.example.com
.
A port number is required only if the default port is not used.
A path is optional.
Wildcards are not supported. If the path ends with a slash (/), for example, //www.example.com/apps/
, RIAs in that directory and any subdirectory are allowed to run. If the path does not end with a slash, for example, http://www.example.com/test/applet.html
, only that specific RIA is allowed to run.
The format must be the same as the format used for the RIA URL or href
attribute.
For example, //www.example.com/sample/app/sample1/../sample2
and //www.example.com/sample//app/sample2
are not considered matches to //www.example.com/sample/app/sample2
.
Add a site to the exception site list only if you trust the entire site. Even if a path is specified, adding a site that might contain other untrusted paths could present a security risk and is not recommended.
If an invalid URL is entered, an error icon is shown next to the item. If the URL is not corrected before OK is clicked, the invalid URL is not saved.
To edit a URL in the exception site list, follow these steps:
Double-click the URL that you want to edit in the Exception Site List window.
Make changes to the URL. See Add a URL for information on the format of the URL.
Click OK to save the changes. If you click Cancel, the changes are not saved.
To remove a URL from the exception site list, follow these steps:
Click the URL that you want to remove in the Exception Site List window.
To remove more than one URL, Ctrl-click the additional URLs.
Click Remove.
Click OK to save your change. If you click Cancel, the URLs are not removed from the list.
The location of the exception site list is set in the deployment.user.security.exception.sites
property. The default location is <deployment.user.home>/security/exception.sites
. See Chapter 21, "Deployment Configuration File and Properties" for information on properties and property files.
Users can manage a list on their system, or use a list managed by a system administrator in a central location. If a system administrator does not want users to edit the exception site list, the deployment.user.security.exception.sites
property can be set to a file for which users do not have write permission. If a user cannot write to the exception site list, the list is shown in the Java Control Panel, but the controls for editing are not available in the Exception Site List window.
To prevent users from using a different exception site list than the list set up by a system administrator, the deployment.user.security.exception.sites
property can be locked. See Section 21.2, "Deployment Configuration Properties" for information on locking system properties.