Support for blacklisting signed jar files has been added to 6u14. A blacklist is a
list of signed jars that contain serious security vulnerabilities that can be
exploited by untrusted applets or applications. A system-wide blacklist will be
distributed with each JRE release. Java Plugin and Web Start will consult this
blacklist and refuse to load any class or resource contained in a jar file that's
on the blacklist. By default, blacklist checking is enabled. The
deployment.security.blacklist.check
deployment configuration property
can be used to toggle this behavior. The blacklist is updated using the property
deployment.blacklist.url which defaults to //javadl-esd-secure.oracle.com/update/blacklist.
The blacklist entries are the union of the blacklist files pointed to by the
deployment.system.security.blacklist
and
deployment.user.security.blacklist
properties. By default,
deployment.system.security.blacklist
points to the
blacklist
file in the jre/lib/security
directory,
and deployment.user.security.blacklist
points to a blacklist file
that contains additional entries added by a user.
The blacklist is a text file with the following format:
attribute : value
Each jar file on the blacklist is identified by the
x-Digest-Manifest
attribute where
x
is the name of the
MessageDigest
algorithm, and the value is the base64 encoded
hash value of the Manifest. Comments are denoted by lines starting with
the # (number) symbol.
Here is an example:
# Buggy Utilities, version 1.0 SHA1-Digest-Manifest : QONXbQg+EtNOguIOAgpUUOadhv8= # Malware Inc., version 99.99 SHA-256-Digest-Manifest : SewaudBCZ3iXt1KX0BeFHpQiiM1xYLtvLw3Ow2RJfcs=