11
votes

To protect our users from maliciuos applets I wanted to disable the Java browser plug-in.

In a test (JRE 7) I noticed that deactivating the plug-in also disables Java Web Start. We need to use one Web Start application so it seems that we have no choice than keeping the browser plug-in enabled.

Is this correct, or is there a way to use Web Start without enabling the browser plug-ins?


Test steps:

error box

Its message translates to

This application could not be downloaded because Java over Internet is deactivated. You can activate Java on this system over the Java Control Panel

I have not seen an option to activate "Java over Internet" in the Java Control Panel. When I enable the browser plug-in, the Java Web Start application can be launched.

The same error message appears if I execute a local copy of the JNLP file

jawas <path to local jnlp file>

The jnlp file (slightly cleaned up):

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://example.com/path/to/" href="webstartapp.jnlp">
    <information>
        <title>...</title>
        <vendor>...</vendor>
        <homepage href="..." />
        <description>...</description>
        <description kind="short">...</description>
        <description kind="tooltip">...</description>
        <offline-allowed />
    </information>
    <security>
        <all-permissions />
    </security>
    <resources>
        <j2se version="1.7+" initial-heap-size="128m" max-heap-size="256m" />
        <jar href="Client/lib/Launcher.jar" main="true" />
    </resources>
    <application-desc main-class="com.veda.launcher.Start">
        <argument>...</argument>
        <argument>*</argument>
    </application-desc>
</jnlp>
4
Is the Java webstart hosted as a JNLP that can be downloaded and executed independent of the browser? That does not require an enabled java pluginring bearer
@ringbearer see my edit and the jnlp file, it looks like offline execution is permittedmjn
@mjn so if you can download the jnlp seperately than it won't be executed in the context of the browser, so you don't need the plug-in to be activated. This has nothing to do with offline execution though.Willi Mentzel
@haywire the same error message appears when I execute jawas <path to local jnlp file>mjn

4 Answers

7
votes

AFAIK, the "Enable Java content in the browser" checkbox on the Security tab of the Java Control Panel is controlling BOTH applets and web start. Indeed, on Mac, the equivalent checkbox is called "Enable applet plug-in and Web Start applications".

Therefore, it's unlikely that you can accomplish this via the Java Control Panel. However, you might be able to leave the global Java setting ON in the Control Panel and disable Java individually in each browser.

2
votes

Try this Link here which talks of running a jnlp file outside a browser. You need java to run a jnlp file and since you have disabled the java plugin in browser, it may not run the app from browser.

1
votes

It seems that there is a more fine-grained option than to allow Java being executed in a browser context and relying on every browser disabling Java separately:

Java Deployment Rules let you specify towards the Java runtime which URLs should Java be allowed to execute code from. This way, you don't have to care how the users have their browsers configured. Java Deployment Rules seem to be the "managed" counterpart (think: group policy) to the Exception Site List that you can see in msj121's answer.

To me, this seems to be the most secure option, since you can centrally define that only the URL of the one JWS application you mentioned may be executed, and all other JWS applications or applets will be blocked.

0
votes

Yes, I understand the checkbox does affect both plugins and webstart.

Two options I see:

  1. You can see that you can increase the security permissions to try and make sure malicious software can't be run though by having certificates. Select Very High, and if you need your code to ever run in the browser add it to the exception list.

  2. Change each browser to deny java in browser individually. Though this won't work for IE as far as I know.

Disable the Java content in the browser

Internet Explorer

The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.

Chrome

Click on the Chrome menu, and then select Settings.
At the bottom of Settings window, click Show advanced settings Scroll down to the Privacy section and click on Content Settings.
In the Content Settings panel, scroll down to the Plug-ins section.
Under the Plug-ins section, click Disable individual plug-ins.
In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
Close and restart the browser to enable the changes.
Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

Firefox

From the Firefox menu, select Tools, then click the Add-ons option
In the Add-ons Manager window, select Plugins
Click Java (TM) Platform plugin to select it
Click Disable (if the button displays Enable then Java is already disabled)

Safari

Choose Safari Preferences
Choose the Security option
Select Allow Plug-ins, then click on Manage Website Settings
Click on the Java item, select Block from the pulldown list When visiting other websites
Click Done, then close the Safari Preferences window

Changing the preferences system wide for java in browser:

enter image description here

  1. In the Java Control Panel, click the Security tab.
  2. Select the option Enable Java content in the browser.
  3. Click Apply and then OK to confirm the changes.
  4. Restart the browser to enable the changes.