Blacklist Jar Feature
Support for blacklisting signed jar files has been added to 6u14. A blacklist is alist of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications. A system-wide blacklist will be distributed with each JRE release. Java Plugin and Web Start will consult this blacklist and refuse to load any class or resource contained in a jar file that's on the blacklist. By default, blacklist checking is enabled. Thedeployment.security.blacklist.check deployment configuration property can be used to toggle this behavior. The blacklist file is updated using the propertydeployment.blacklist.url which defaults to https://javadl-esd-secure.oracle.com/update/blacklist.
The blacklist entries are the union of the blacklist files pointed to by thedeployment.system.security.blacklist anddeployment.user.security.blacklist properties. By default,deployment.system.security.blacklist points to theblacklist file in thejre/lib/security directory,anddeployment.user.security.blacklist points to a blacklist filethat contains additional entries added by a user.
The blacklist is a text file with the following format:
attribute : value
Each jar file on the blacklist is identified by thex-Digest-Manifest attribute wherex is the name of theMessageDigest algorithm, and the value is the base64 encoded hash value of the Manifest. Comments are denoted by lines starting withthe # (number) symbol.
Here is an example:
# Buggy Utilities, version 1.0 SHA1-Digest-Manifest : QONXbQg+EtNOguIOAgpUUOadhv8= # Malware Inc., version 99.99 SHA-256-Digest-Manifest : SewaudBCZ3iXt1KX0BeFHpQiiM1xYLtvLw3Ow2RJfcs=