Blacklist Jar Feature

Support for blacklisting signed jar files has been added to 6u14. A blacklist is a list of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications. A system-wide blacklist will be distributed with each JRE release. Java Plugin and Web Start will consult this blacklist and refuse to load any class or resource contained in a jar file that's on the blacklist. By default, blacklist checking is enabled. The deployment.security.blacklist.check deployment configuration property can be used to toggle this behavior. The blacklist is updated using the property deployment.blacklist.url which defaults to https://javadl-esd-secure.oracle.com/update/blacklist.

The blacklist entries are the union of the blacklist files pointed to by the deployment.system.security.blacklist and deployment.user.security.blacklist properties. By default, deployment.system.security.blacklist points to the blacklist file in the jre/lib/security directory, and deployment.user.security.blacklist points to a blacklist file that contains additional entries added by a user.

The blacklist is a text file with the following format:

    attribute : value

Each jar file on the blacklist is identified by the x-Digest-Manifest attribute where x is the name of the MessageDigest algorithm, and the value is the base64 encoded hash value of the Manifest. Comments are denoted by lines starting with the # (number) symbol.

Here is an example:

    # Buggy Utilities, version 1.0
    SHA1-Digest-Manifest : QONXbQg+EtNOguIOAgpUUOadhv8=
    # Malware Inc., version 99.99
    SHA-256-Digest-Manifest : SewaudBCZ3iXt1KX0BeFHpQiiM1xYLtvLw3Ow2RJfcs=

Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.