Support for blacklisting signed jar files has been added to 6u14. A blacklist is a
list of signed jars that contain serious security vulnerabilities that can be
exploited by untrusted applets or applications. A system-wide blacklist will be
distributed with each JRE release. Java Plugin and Web Start will consult this
blacklist and refuse to load any class or resource contained in a jar file that's
on the blacklist. By default, blacklist checking is enabled. The
deployment.security.blacklist.check deployment configuration property
can be used to toggle this behavior. The blacklist is updated using the property
deployment.blacklist.url which defaults to https://javadl-esd-secure.oracle.com/update/blacklist.
The blacklist entries are the union of the blacklist files pointed to by the
deployment.system.security.blacklist and
deployment.user.security.blacklist properties. By default,
deployment.system.security.blacklist points to the
blacklist file in the jre/lib/security directory,
and deployment.user.security.blacklist points to a blacklist file
that contains additional entries added by a user.
The blacklist is a text file with the following format:
attribute : value
Each jar file on the blacklist is identified by the
x-Digest-Manifest attribute where
x is the name of the
MessageDigest algorithm, and the value is the base64 encoded
hash value of the Manifest. Comments are denoted by lines starting with
the # (number) symbol.
Here is an example:
# Buggy Utilities, version 1.0
SHA1-Digest-Manifest : QONXbQg+EtNOguIOAgpUUOadhv8=
# Malware Inc., version 99.99
SHA-256-Digest-Manifest : SewaudBCZ3iXt1KX0BeFHpQiiM1xYLtvLw3Ow2RJfcs=
