Java Update 7u51 Security Issues

· IT Life

Java Update 7u51 has probably caused a lot of pain around the IT community. It introduces some new security requirements that many (if not most) java applet providers are still not in compliance with. In order to bypass these requirements you have to add the site to a new security exception list. Normally this is a configuration option stored in the users local-low app-data folder:


This makes it a configuration change that would have to be made for every user profile on every machine in the environment, which is obviously a lot of work. Luckily Oracle does provide an alternative means to configure this, via a system wide configuration file.

Sadly this option is not exactly straight forward, involving the creation of three different config files. It is however, fairly well documented, but the formatting of these options contain some additional ‘gotchas’ in terms of what needs to be escaped in what files.

You first need to create the %windir%\Sun\Java\Deployment\deployment.config file, this file can contain only two options, deployment.system.config which points to the location of the file which contains the rest of the configuration options, and deployment.system.config.mandatory which tells if this file is overidable or not. Slashes and colons need to be escaped in this file. An example file:


Next a file needs to be created in whatever location the deployment.config file is pointing at. My initial ambition was to put this in a UNC location, but I was unable to deploy it in such a manner in my testing. If someone could chime in with the appropriate syntax for that, I’d be very grateful! Many settings can be customized in this file, but the one of importance for this example is which points to the location of the exception.sites file which lists sites to be exempted from the security settings. Slashes and colons again need to be escaped in this file. An example file:\:\\WINDOWS\\Sun\\Java\\Deployment\\exception.sites

Lastly you need to create the exception.sites file, or take it from a workstation where it has already been created. This file simply contains a list of sites (with protocol but you do not have t o list the full path), one per line, to be added to the exception list.

Now just distribute these files to the computers in your network. If the %windir%\Sun\Java\Deployment\ directory does not exists, create it. I have a template batch file I use for mass operations like this.