We help IT Professionals succeed at work.

To lower the Java Security level for internal web addresses

How can I lower the Java Security Rules for internal networks only?

Currently our users are needing to manually enter an internal web address in their Java Exception list.  I have been charged with trying to make the process more automatic for our users.  Specifically to allow all URL's for internal web addresses to allow the Java Applet.

I did find a way to create an Exception list for the computer:  https://community.spiceworks.com/how_to/123766-java-site-exceptions-list-and-certificates-for-all-users

but, this option takes away the user's ability to have their own list or to add the web sites that they want and the list will be managed by the local administrator.  Equally important, if I used the above mentioned web page documentation then it will overwrite any Java exception list that the user already created.  We do not want to go that route.

Is there a way to allow internal web addresses to have a lower Java Security level then external web addresses?  TO actually allow Java to be run on those internal web url's.
Comment
Watch Question

Distinguished Expert 2019

Commented:
Is there a way to allow internal web addresses to have a lower Java Security level then external web addresses?  TO actually allow Java to be run on those internal web url's.
No, you have to spell out the URLs. And there is no mechanism for wildcards. Nor is there a setting for internal vs external.

Most ideal thing would be to reduce the dependency on Java, especially considering that JRE doesn't run in Chrome or Java.
PkafkasNetwork Engineer

Author

Commented:
What if I create a Deployment rule srt?

https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html

I have never done this before and I am not sure how to create these rules or if it will work:

Accroding to: https://www.cyber.gov.au/publications/mitigating-java-based-intrusions

"Using Deployment Rule Sets to whitelist Java applications
A security feature added in Oracle Java 7 Update 40 was ‘Deployment Rule Sets’. This feature allows administrators to whitelist Java applications based on attributes such as location, file hash or signature hash. "

According to: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html

I am not sure if I can enter a location variable http://172.* to allow.  Has anyone ever created a DeploymentRuleSet.jar file before?

https://blogs.oracle.com/java-platform-group/introducing-deployment-rule-sets
PkafkasNetwork Engineer

Author

Commented:
This is an interesting concept:

Basically edit the 'exception.sites' in the \Users\username\AppData\LocalLow\Sun\Java\Deployment\security\ folder

Accordingto: https://forums.servethehome.com/index.php?resources/script-to-defeat-java-application-blocked-issues.18/

1.  Create a python script to type up exception rules for an entire subnet

https://www.servethehome.com/stop-java-application-blocked-entire-subnet/

2.  Then the blog says to replace the existing list with the new list veriosn.
      a.  But if the users want to keep any other exceptions that are already entered in there... you may just want to add them manually.

I guess this will work; but, how can we edit the files automatically for new users and for existing users?


It appears that you either give the ability to the User to create/edit the exception list or to the computer.  The computer option will overwrite any existing entries; but, you cannot have both as what I am askign about.
Distinguished Expert 2019
Commented:
I am not sure if I can enter a location variable http://172.* to allow.
Short answer to your question is no. You could use wildcards in a subdomain type scenario. That doesn't work for IP addresses. Straight from Oracle Java 7 documentation: "The host name can start with an asterisk followed by a dot (*.), which then matches any host that ends with the string provided after the dot. For example, *.example.com matches host.example.com and host.test.example.com. The host name cannot be just an asterisk." Besides, very dangerous idea. Also, not all IP addresses that start with 172 are private.

Create a python script to type up exception rules for an entire subnet
I presume you also read the fact the acknowledgement of risks in doing that. If exceptions have to get made, you should only be allowing no more than necessary. I doubt the entire local network runs Java in a server sense. If it did, that's a major red flag. Straight from the exact link you refer to regarding the Python route:
"Warning and Disclaimer
To be clear, this will effectively disable a security feature on entire networks. Please do use this with care. We are not responsible if disabling your security settings results in some sort of malware or data loss. Use at your own risk and edit as necessary for your own needs and organizations security policies."

a.  But if the users want to keep any other exceptions that are already entered in there... you may just want to add them manually.
You'd have to keep a copy of the existing and merge the files somehow.

It appears that you either give the ability to the User to create/edit the exception list or to the computer.  The computer option will overwrite any existing entries; but, you cannot have both as what I am askign about.
Precisely. You have to choose.