Contents
As of the JDK 7u10 release, a user may control, via the Java Control Panel, the level of security that will be used when running Java apps in a browser. The user may select from four levels of security, including disabled, where no apps are allowed to run in the browser.
These security levels apply to running Java in the browser, which includes plugin applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plugins. Setting the security level does not affect stand alone applications. Note that applets and these various types of applications are collectively referred to as apps or Java apps.
Before the browser plugin software attempts to run a Java app,
it verifies that the JRE version is at or above the security
baseline for that family and that the age of the JRE is recent. If
the JRE is determined to be below the security baseline, or if unable to verify the baseline that the current date is past the JRE Expiration Date, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to
java.com to download the latest release.
The JRE Expiration Date can be found in the release notes for JDK Update releases starting with JDK 7u21.
The JRE relies on periodic checks with an Oracle Server to determine if it (the JRE) is still considered up-to-date with all the available security fixes (above the security baseline). In the past, if the JRE was unable to contact the Oracle Server, it continued to behave as though it is still the most recent version with regard to security for an indefinite period.
To avoid this problem, a secondary mechanism, which does not rely on external communication, has been added to the JDK 7u10 release. From this release onwards all JREs will contain a hard-coded expiration date. The expiration date is calculated to end after the scheduled release of the next Critical Patch Update.
This means that JREs that are unable to contact Oracle Servers for an extended period of time, will now start offering additional protection after a reasonable period and will not continue to behave as if they were still up-to-date with security fixes.
For installations where the highest level of security is required, it is possible to entirely prevent all Java apps from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.
Note: These settings affect all browsers that use Oracle's Java browser plug-in. They do not affect desktop (also called stand alone) Java apps.
The Security tab of the Java Control Panel contains a Security Level slider that controls the behavior when attempting to run any app (either from the web or local). The user can select medium, high or very high security settings. The settings determine if an app is allowed to run and if so, the warnings you must accept before the app is launched. The warnings contain information about the signing status of the app, the location of the app, and whether the app is requesting enhanced permissions to run outside the security sandbox.
Unsigned apps that request enhanced permissions are not allowed to run, regardless of the Security Level setting. At the Very High setting, only apps signed with a valid certificate are allowed to run. For information on all security levels, see the Security section of the Java Control Panel documentation.
The default security level is High.
The ability to run applications is also affected by the settings of the Security Options for a Secure Execution Environment.
To select the behavior when attempting to run an app, there are several checkboxes available in the Java Control Panel (under the Advanced tab):
In the JDK 7u10 release, new arguments for command line installation support setting the security level for Java in the browser. Admin privileges are required to install the JRE. Note that, in the 7u10 timeframe, these arguments are available only on Microsoft Windows.
After installation of the JRE, verify the security level settings in the Java Control Panel.
This information also applies to untrusted apps that have signed trusted extensions, but not to signed trusted apps that have unsigned untrusted extensions. For more information, see Mixing Privileged Code and Sandbox Code.
