Allowing unsigned Java applications on all sites

Java stopped running unsigned applications one day.

Your security settings have blocked an untrusted application from running.

Java security useless error message

The documentation states that I can add a site to an exception list to get around this problem. However, I am trying to run a Java applet for WebSDR usage, and there are many sites with many applets needed. It's a real hassle to have to do this, especially when I'm using Chrome and it already prompts me before running Java at all.

Java has become almost completely useless to me, and I'd like to fix that by toning down the security a bit. Is it possible to either disable the blocking of unsigned apps, or add a wildcard of URLs to the exception list? I've tried adding * or http://, but the "Configure Java" panel won't except either of these.

Brad

Posted 2014-02-12T03:04:49.690

Reputation: 4 459

besides the Java problem: the SDR receiver mentioned in your screenshot and many other using the same software now have a HTML5 mode that does not require Java! Tried with the latest Firefox and runs perfectly. I guess it also works in Chrome. – Ale – 2014-12-17T21:53:50.290

@Ale Yeah, I've used it. It's good stuff! Unfortunately, not all of the hosts use the HTML5 version. – Brad – 2014-12-17T21:55:13.027

@Brad and do you still the java unsigned applet problem or is it solved meanwhile? – Ale – 2014-12-17T22:02:17.330

@Ale With the remaining SDR sites on Java, I am able to use them by adding each site individually. I'm still prompted for each part of the application, but at least it works. – Brad – 2014-12-17T22:04:43.180

Another option is to define deployment rules or deployment.properties. https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

– None – 2015-06-05T15:21:38.443

This can be controlled by the Java Control Panel Applet. You will require administrator rights to change the setting. – Ramhound – 2014-02-12T03:35:17.477

@Ramhound I have used that applet, and there is no setting on it I can find to allow unsigned apps. – Brad – 2014-02-12T13:39:11.827

Answers

Java 8u25

Warning: These settings expose security vulnerabilities known to Java. Not for the the average user.

I was having a lot of tools blocked by Java. I set the options below and then added to the site exception list. I was then able to run all of my older applets that were previously blocked after a browser restart.

Advanced:

**JNLP File/MIME Association - Always allow

**Secure Execution Environment - Uncheck Show sandbox warning banner, uncheck warn if site certificate does not match hostname, uncheck show site certificate from server even if it is valid

**Mixed code - Disable verification

**Perform certificate revocation checks on - Do not check

**Advanced Security Settings - Uncheck enable blacklist revocation check

Security:

**Add the site to Security tab > edit site list > add button > type URL or IP.

sunkenruin

Posted 2014-02-12T03:04:49.690

Reputation: 101

Where did you get this information seems strange you provide no context almost like your just copying and pasting fron some source, even if I overlook that problem, the formatting could be improved – Ramhound – 2014-12-17T21:47:16.157

1Did this work for you though? – sunkenruin – 2014-12-19T16:42:45.943

This worked for me when nothing else did! Thanks, this solved a huge problem! – AresAvatar – 2015-01-19T23:21:35.643

Thank goodness for stackexchange, this was blocking me from doing my homework. +1. – ApproachingDarknessFish – 2015-10-27T01:57:13.183

Doesn't work. Why do we even have this plugin if we can't use it. I keep it completely disabled except in the rare instance that I need to use it and I can't. Absolutely useless. I will never use any sun java for any commercial application ever. – mchid – 2016-11-06T23:03:10.523

I had issues with running an app signed with MD5 with RSA. I found the following solution worked for me:

From https://forums.freenas.org/index.php?threads/psa-java-8-update-131-breaks-asrocks-ipmi-virtual-console.53911/:

all applications signed by MD5withRSA are now treated by "unapproved"

but luckily you can quickly override this by updating C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\java.security

For MACOS X /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security

OR

/Library/Java/JavaVirtualMachines/jdk1.8.0_131.jdk/Contents/Home/jre/lib/security/java.security

i've opened java.security file with notepad and made next few changes (removed MD5 exclusion):

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224

jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ DH_RSA_EXPORT, RSA_EXPORT, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ 3DES_EDE_CBC, \ SSL_RSA_WITH_RC4_128_MD5

ig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops

VoteCoffee

Posted 2014-02-12T03:04:49.690

Reputation: 164

[Doesn't work in Java 8+]

Go to the Java Control Panel. In the Security Tab put the security to Medium and if the applet is not signed but doesn't require full permissions it should run. If it needs full permissions. This will prompt you for continuing. See details here: http://www.java.com/en/download/help/jcp_security.xml

As for Chrome if you enter in chrome://plugins under Java plugin settings you can also set "always allow" not to see the prompt.

fede.evol

Posted 2014-02-12T03:04:49.690

Reputation: 1 718

4Medium was removed in Java 8. Any workaround? – Quantum7 – 2014-11-04T12:15:23.883

3How damn annoying. Java disallows me to run software, eventhough I trust it. – Christophe De Troyer – 2014-11-27T21:23:56.120

I tried "medium", but the app must be requesting full permissions as I still get prompted. – Brad – 2014-02-12T13:37:44.867

Right...The prompts are by design at that level of security – Ramhound – 2014-02-12T13:45:17.430

If you continue to receive this error after adding the site to the exceptions list of the Java control panel, try editing [JRE install directory]\lib\security\java.policy

Inside the grant block, add

permission java.net.SocketPermission "192.168.50.116:5900", "connect,resolve";

Substitute your host/IP and port.

silent tone

Posted 2014-02-12T03:04:49.690

Reputation: 131

To edit it, are you just talking about a plain text file, or using a special program? – Canadian Luke – 2015-01-13T23:38:12.623

You can edit the exception site list in a text editor (eg Notepad++). I used Excel to auto-fill a range (eg https://192.168.1.1 -> https://192.168.1.255). I then copied and pasted this into the exception.sites file.

C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites

The exceptions then show up in the Java Control Panel exception list.

KERR

Posted 2014-02-12T03:04:49.690

Reputation: 329