Pkafkas
asked on
To lower the Java Security level for internal web addresses
How can I lower the Java Security Rules for internal networks only?
Currently our users are needing to manually enter an internal web address in their Java Exception list. I have been charged with trying to make the process more automatic for our users. Specifically to allow all URL's for internal web addresses to allow the Java Applet.
I did find a way to create an Exception list for the computer: https://community.spiceworks.com/how_to/123766-java-site-exceptions-list-and-certificates-for-all-users
but, this option takes away the user's ability to have their own list or to add the web sites that they want and the list will be managed by the local administrator. Equally important, if I used the above mentioned web page documentation then it will overwrite any Java exception list that the user already created. We do not want to go that route.
Is there a way to allow internal web addresses to have a lower Java Security level then external web addresses? TO actually allow Java to be run on those internal web url's.
Currently our users are needing to manually enter an internal web address in their Java Exception list. I have been charged with trying to make the process more automatic for our users. Specifically to allow all URL's for internal web addresses to allow the Java Applet.
I did find a way to create an Exception list for the computer: https://community.spiceworks.com/how_to/123766-java-site-exceptions-list-and-certificates-for-all-users
but, this option takes away the user's ability to have their own list or to add the web sites that they want and the list will be managed by the local administrator. Equally important, if I used the above mentioned web page documentation then it will overwrite any Java exception list that the user already created. We do not want to go that route.
Is there a way to allow internal web addresses to have a lower Java Security level then external web addresses? TO actually allow Java to be run on those internal web url's.
ASKER
What if I create a Deployment rule srt?
https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html
I have never done this before and I am not sure how to create these rules or if it will work:
Accroding to: https://www.cyber.gov.au/publications/mitigating-java-based-intrusions
"Using Deployment Rule Sets to whitelist Java applications
A security feature added in Oracle Java 7 Update 40 was ‘Deployment Rule Sets’. This feature allows administrators to whitelist Java applications based on attributes such as location, file hash or signature hash. "
According to: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html
I am not sure if I can enter a location variable http://172.* to allow. Has anyone ever created a DeploymentRuleSet.jar file before?
https://blogs.oracle.com/java-platform-group/introducing-deployment-rule-sets
https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html
I have never done this before and I am not sure how to create these rules or if it will work:
Accroding to: https://www.cyber.gov.au/publications/mitigating-java-based-intrusions
"Using Deployment Rule Sets to whitelist Java applications
A security feature added in Oracle Java 7 Update 40 was ‘Deployment Rule Sets’. This feature allows administrators to whitelist Java applications based on attributes such as location, file hash or signature hash. "
According to: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html
I am not sure if I can enter a location variable http://172.* to allow. Has anyone ever created a DeploymentRuleSet.jar file before?
https://blogs.oracle.com/java-platform-group/introducing-deployment-rule-sets
ASKER
This is an interesting concept:
Basically edit the 'exception.sites' in the \Users\username\AppData\Lo
Accordingto: https://forums.servethehome.com/index.php?resources/script-to-defeat-java-application-blocked-issues.18/
1. Create a python script to type up exception rules for an entire subnet
https://www.servethehome.com/stop-java-application-blocked-entire-subnet/
2. Then the blog says to replace the existing list with the new list veriosn.
a. But if the users want to keep any other exceptions that are already entered in there... you may just want to add them manually.
I guess this will work; but, how can we edit the files automatically for new users and for existing users?
It appears that you either give the ability to the User to create/edit the exception list or to the computer. The computer option will overwrite any existing entries; but, you cannot have both as what I am askign about.
Basically edit the 'exception.sites' in the \Users\username\AppData\Lo
Accordingto: https://forums.servethehome.com/index.php?resources/script-to-defeat-java-application-blocked-issues.18/
1. Create a python script to type up exception rules for an entire subnet
https://www.servethehome.com/stop-java-application-blocked-entire-subnet/
2. Then the blog says to replace the existing list with the new list veriosn.
a. But if the users want to keep any other exceptions that are already entered in there... you may just want to add them manually.
I guess this will work; but, how can we edit the files automatically for new users and for existing users?
It appears that you either give the ability to the User to create/edit the exception list or to the computer. The computer option will overwrite any existing entries; but, you cannot have both as what I am askign about.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Most ideal thing would be to reduce the dependency on Java, especially considering that JRE doesn't run in Chrome or Java.