Over the last year, many new security related features have been implemented. Many of those features have been related to browser plugins for applets and web start applications (RIAs). A number of end users and software vendors have asked for more ways to configure their environment and use of applications.
The Exception Site List is a way for end-users to control their own application whitelist and continue using RIAs that could not be timely updated to follow previously announced security requirements. The Exception Site List provides a way to continue using a RIA but is not intended as a way to remove all warnings for the user. End-users will still see important prompts, but those prompts will no longer block.
The introduction of the Exception Site List creates a second way for whitelisting RIAs and decreases requirements for system administrators.
| || Exception Site List ||Deployment Rule Set |
|Introduced|| Java 7 update 51 (January 2014) ||Java 7 update 40 (September 2013) |
| Intended for ||End-user||System Administrator |
| Formatted as ||Plain-text||Signed JAR file |
| If the two conflict with each-other ||Loses||Wins |
For standard policy enforcement, some system administrators may lock down usage of the Exception Site List as they would with any other control panel setting.
Developers looking to test their applications in advance of 7u51 and use the Exception Site List can download early access of Java 7 update 60 over at the JDK 7 website. That website is the easiest way for developers to get early access of releases.
End-users can access the Exception Site List from the Java control panel.
Update Jan 22: The Exception Site List is intended for end-users to create their own whitelist. If you are a System Administrator managing this across many machines, you will find the Deployment Rule Set much easier. Group Policy efforts are better used behind distributing a Deployment Rule Set. You can self-sign a DRS.
The Exception Site List is aimed towards end-users controlling their own Exception Site List.
The file controlling the Exception Site List is stored in the user’s deployment location as described in the deployment configuration. On my Windows 7 laptop, this location is C:\Users\ecostlow\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
The format is one site per line.
As changes are introduced, technical support representatives are usually asked for details. We will be creating a technical support note that can be downloaded and tweaked to help communicate this change to your customers. It is essentially a trimmed down version of this blog post with a stronger How-To message.
Update on Jan 14 2014: Here are the end-user instructions for using the Exception Site List. Otherwise if you need something more customizable, here is a sample Exception Site List support note. This is a docx file but it may appear as a zip.