Java Rich Internet Applications Guide > Security > Exception Site List
This page includes the following topics:
The Exception Site List feature provides a way for users to run Rich Internet Applications (RIAs) that otherwise would be blocked by security checks. The criteria used to determine if RIAs are allowed to run are becoming stricter. In some cases it might be difficult to update legacy RIAs to meet the security requirements and prevent them from being blocked. This feature enables users to continue to run these RIAs.
The exception site list contains URLs for sites that host RIAs that users want to run. RIAs that are launched from sites in the exception site list are allowed to run with the appropriate security prompts, even in the following circumstances, which would normally cause the RIA to be blocked:
The exception site list also allows JavaScript code to call Java code (LiveConnect) without prompting the user for permission when the JavaScript code and the Java code are located on a site in the list.
Note: If an active deployment rule set is installed on the system, the deployment rules take precedence over the exception site list. The exception site list is considered only when the default rule applies. See Deployment Rule Set for information about deployment rules.
The exceptions granted by the Exception Site List feature apply to RIAs whose entry point is included in the list:
If the RIA requires resources from another domain, that domain must also be included in the exception site list. Otherwise, the RIA is blocked when the additional resource is accessed.
The exception site list is managed in the Security tab of the Java Control Panel. The list is shown in the tab. To add, edit, or remove items from the list, click Edit Site List and follow the directions in Add a URL, Edit a URL, and Remove a URL.
To add a URL to the exception site list, follow these steps:
The following rules apply to the format of the URL:
A protocol is required.
Supported protocols are FILE
, HTTP
, and HTTPS
. HTTPS
is recommended. If the protocol is not HTTPS
, a warning is shown. Click Continue to add the URL, or click Cancel to discard the URL.
A domain is required.
Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, https://www.example.com
and http://www.example.com
.
A port number is required only if the default port is not used.
A path is optional.
Wildcards are not supported. If the path ends with a slash (/), for example, https://www.example.com/apps/
, RIAs in that directory and any subdirectory are allowed to run. If the path does not end with a slash, for example, http://www.example.com/test/applet.html
, only that specific RIA is allowed to run.
Only add a site to the exception site list if you trust the entire site. Even if a path is specified, adding a site that might contain other untrusted paths could present a security risk and is not recommended.
If an invalid URL is entered, an error icon is shown next to the item. If the URL is not corrected before OK is clicked, the invalid URL is not saved.
To edit a URL in the exception site list, follow these steps:
To remove a URL from the exception site list, follow these steps:
The location of the exception site list is set in the deployment.user.security.exception.sites
property. The default location is <deployment.user.home>/security/exception.sites
. See Deployment Configuration Properties for information on properties and property files.
Users can manage a list on their system, or use a list managed by a system administrator in a central location. If a system administrator does not want users to edit the exception site list, the deployment.user.security.exception.sites
property can be set to a file for which users do not have write permission. If a user cannot write to the exception site list, the list is shown in the Java Control Panel, but the controls for editing are not available in the Exception Site List window.