Allowing unsigned Java applications on all sites

Reference How do I control when an untrusted applet or application runs in my web browser? :

Starting with Java 8 Update 20, the Medium security level has been removed from the Java Control Panel. Only High and Very High levels are available.

The exception site list provides users with the option of allowing the same applets that would have been allowed by selecting the Medium option but on a site-by-site basis therefore minimizing the risk of using more permissive settings.

You may have to restart your browser for the settings to take effect.

From Oracle.com » Exception Site List

Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, https://www.example.com and http://www.example.com.

A port number is required only if the default port is not used.

This means you are correct that there is no other way then adding each site:port one by one.

But you can use a deployment rule set

I'll summarize the steps but you have to read the full guide anyway

1. Create an ANSI encoded text file and name it ruleset.xml

2. Build your content and add any site:port you need. It seems wildcards are allowed here.

   <ruleset version="1.0+">
           <rule>
           <id location="http://1.1.1.1:*" />
           <action permission="run" />
       </rule>
       <rule>
           <id />
           <action permission="block" />
       </rule>
   </ruleset>
   

3. Download the Java JDK, copy the ruleset.xml file to the bin folder of the JDK install location, where the jar.exe file is.

4. Open a command prompt and cd to the location of jar.exe and ruleset.xml. Type in this command:

   jar -cvf DeploymentRuleSet.jar ruleset.xml
   

5. Now you need to sign the deployment ruleset. For that, you need a java keystore with a cert in it that is trusted on your computer.

   One way to generate a keystore is to use keytool.exe which is in C:\Program Files\Java\jre6\bin together with this command

   keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

   To extract the certificate from the keystore, use

   keytool -exportcert -keystore keystore.jks -alias selfsigned -file Cert.cer
   

   And then you can install this cert into the trusted root CA (Guide)

6. If your certificate has an extension of .pfx, just rename it to .p12

7. Use keytool to import the .p12 file

   Keytool -importkeystore -deststorepass password -destkeystore Keystore.jks -srcKeystore Cert.p12 -srcstoretype pkcs12 -srcstorepass password

   You’ll want to change the -srcstorepass to the password of your certificate

   You should get something that says "Entry for alias…". After the word alias is the alias of the keystore, which you will need. (long GUID)

8. Now that you have a keystore with a trusted certificate in it, you can use that to sign the jar file.

   To do this, open a command prompt in the jdk bin folder and type:

   jarsigner -verbose -keystore keystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar selfsigned

   Change "selfsigned" to the alias you had from step 7

9. Now, put the DeploymentRuleSet.jar file in one of these directories:

   • Windows: c:\Windows\Sun\Java\Deployment.
   • Mac, Linux, Unix: /etc/.java/deployment

That's it. Easy, huh?

You can verify if the DeploymentRuleSet is in place by going to the Java console in control panel and clicking the security tab. Click on “View the active Deployment Rule Set”

Sources

• http://ephingadmin.com/administering-java/
• http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

Please note that

If an active deployment rule set is installed on the system, the deployment rules take precedence over the exception site list.

^Source