Exception Policies for Java

Contributor II


Has anyone figured out how to add sites to the Exception Site list in the Java Console? I ideally would like to be able to push a list of trusted sites to various environments.




New Contributor III

I am interested in this as well. I have been having to do it manually.

Valued Contributor II

From @rtrouton's (wonderful) blog:


Contributor II

Easy. Thanks!

Valued Contributor II

Just thinking out loud here...

We manage our Windows Oracle Java 7 and Java 8 exceptions with Group Policy (GPO). This manages a global Java directory that all local user accounts read from. This way each individual user account doesn't have to be touched.

Id like to do something similar with my OS X Macs.

Im surprised that the top-level (global) Library folder can't be used to manage Java exceptions for all local users.


...but I can't get that file to be read/acknowledged by Java 8.

If anyone knows how to get this to work please let me know.

Note: I don't want to mess with Oracle's suggested "Deployment Rule Sets" because I don't have the time or staff to manage certificates, XML files, .JAR files etc. Too much work for the (5) URLS I need to have whitelisted here in my company.

So, I started laying with making my own "Exception management framework" of sorts...

I have a master exception.sites here:

/Library/MyCompany/Oracle/Java/Deployment/security/exception.sites (This file could be theoretically provisioned on my master image for all newly-deployed Macs)

I'm trying to engineer the best way for local users to read from this home-brewed master file. My options thus far are...

1) Symlink from /Users/USER NAME/Library/Application Support/Oracle/Java/Deployment/security/exception.sites to /Library/MyCompany/Oracle/Java/Deployment/security/exception.sites

It has an added benefit that IT doesn't want people to add their own exceptions, so I can "lock" the master exception.sites file so nobody can write to it. Not sure if this will work. Playing with it today on some test Macs running Java 8.

2) ARD Unix command, or bash script that tell Macs to replace the local exception.sites with my master exception.sites file.

Id have to run this every time IT adds an exception. But we rarely - if ever - edit his file (maybe once a year at the most)

I don't have Casper Suite (yet) so I have no way to get my Macs to "check-in" and fetch an updated exception.sites file at this time. So I need to have a best practice routine in place to verify/edit this file as needed.


Honored Contributor

You could try a launch agent that runs a script that copies that exception list to the ~/Library/Application Support/Oracle/Java/Deployment/security/exception.sites

Valued Contributor II

I was able to get my user's local ~/Library/Application Support/Oracle/Java/Deployment/security/exception.sites file to work with a symbolic link to /Library/My company/Java/Deployment/security/exception.sites. The symlink is honored by Java 8.

By changing permissions on my curated "master" exception.sites file, I can now choose to allow or deny my users from adding their own exceptions if I want by simply enabling the POSIX write bit.

So now my existing users will all get a curated "global" exception list that I can manage from one central location, using ARD launchd SSH or Casper Suite, I will be able to update this master exception.sites accordingly.

My master deployment image will have ~/Library/Application Support/Oracle/Java/Deployment/security/exception.sites provisioned in the OS X User Template, so that newly-created user accounts will automatically pull from my curated exception.sites file.

Release Candidate Programs Tester

@bpavlov, if you're doing that.. You might as well composer that file in a DMG & deploy using FEU/FUT.

Contributor II
# This script will x amount of servers to the Oracle Java Exception Site List.
# By Jacob Salmela
# Based on: http://derflounder.wordpress.com/2014/01/16/managing-oracles-java-exception-site-list/ 

# List of each server to be added to the Java whitelist (one per line in single quotes)

whitelist=$HOME"/Library/Application Support/Oracle/Java/Deployment/security/exception.sites"
javaPlugin=$(defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier)
mkdir -p $HOME"/Library/Application Support/Oracle/Java/Deployment/security/"

if [[ ${javaPlugin} != 'com.oracle.java.JavaAppletPlugin' ]]; then
    echo "Oracle Java browser plug-in not installed"
    exit 1
    echo "Oracle Java browser plug-in IS installed."
    if [[ ! -f "$whitelist" ]]; then
        echo "Oracle Java Exception Site List not found. Creating one..."
        touch  "$whitelist"

        for i in "${servers[@]}"
            echo "Adding exception for: $i..."
            echo $i >> "$whitelist"
        for i in "${servers[@]}"
            whitelistCheck=$(cat $HOME"/Library/Application Support/Oracle/Java/Deployment/security/exception.sites" | grep $i)
            if [[ -n ${whitelistCheck} ]];then
                echo "Exception already exists..."
                echo "Adding exception for: $i..."
                echo "$i" >> "$whitelist"

Valued Contributor II

I'm testing this now, and will probably going to go with the FEU/FUT method as I think our list of sites won't change much once we get it set up properly, but it is so unfortunate this can't be managed via managed profile centrally.