Why are Java applications blocked by your security settings with the latest Java?
This article applies to:
- Java version(s): 7.0
Trying to run the Java applications with Java version 7 Update 51, generates messages that says
Starting with Java 7 Update 51, Java has enhanced security model to make user system less vulnerable to the external exploits. The new version of Java does not allow users to run the applications that are not signed (Unsigned), Self signed (not signed by trusted authority) and the applications that are missing permission attributes.
Risks involved in running each kind of applications:
- Unsigned applications:
An application without a certificate (i.e. unsigned apps), or missing application Name and Publisher information are blocked by default. Running this kind of application is potentially unsafe and present higher level of risk.
- Self signed application (Certificate not from trusted authority):
An application with self-signed certificate is blocked by default. Applications of this type present the highest level of risk because publisher is not identified and the application may be granted access to personal data on your computer.
- Jar file missing Permission Attribute:
Permissions Attribute verifies that the application requests the permission level that developer specified. If this attribute is not present, it might be possible for an attacker to exploit a user by re-deploying an application that is signed with original certificate and running the application at a different privilege level.
The application that you are running is blocked because the developer has not met with the security guidelines implemented in Java 7 Update51.
It is in your best interest to contact developer or publisher of this application and let them know about the application being blocked. Also provide developers with these links that gives details about implementing secure practices in the code for the application.
- JAR File Manifest Attributes for Security
- Java SE 7 Security Documentation
- Secure Coding Guidelines for the Java Programming Language, Version 4.0
It is highly recommended not to run these kind of applications, however if you still want to run, run only if you understand risk and implications involved.
As a workaround, the user can use Exception Site list feature to run the applications blocked by security settings. By adding the URL of the blocked application to the Exception Site list allows it to run with some warnings.
Steps to Add URL to the Exception Site list:
- Go to the Java Control Panel (On Windows Click Start and then Configure Java)
- Click on the Security tab
- Click on the Edit Site List button
- Click the Add in the Exception Site List window
- Click in the empty field under Location field to enter the URL
( URL should begin with http:// or https://)
If the URL where the applet is hosted is different than the URL for the page on which the applet is called you need to add both the URL for the applet.
Example: For Yahoo games Checkers (This is just an example the host url can be different for depending on which host is serving the game), enter:
- http://www.games.yahoo.com and (This is the url for Yahoo games domain)
- http://yog36.games.sp2.yahoo.com (This is the url where game is the hosted and is shown in the dialog box for blocked application)
- Click OK to save the URL that you entered.
- Click Continue on the Security Warning dialog
Applications where this issue may be seen include:
Ebay and Paypal Shipping Label