Reputation: 33
Completely disable Java security mechanism?
I have a very special question that might not apply to a lot of users - sorry!
We run some climate controlling devices which offer a web-based administration frontend utilizing java. These devices are a couple of years old and support for them has expired. The system running the browser (firefox 31.3.0) is a CentOS 6.5 Kernel 2.6.32 x86_64 The entire network is private. The browser is exclusively used just to administrate the climate controllers. We had to update to this OS version some time ago and it came with Java 1.7.0_71. (Java 1.6 was installed before)
Now every time opening the administration page of one of the devices, a security warning is popping up, asking if the application should be executed. Also ist says that unsafe applets will be blocked completely in the future.
I managed to get rid of some other really annoying dialogs by setting security levels as low as possible in the Java ControlPanel, but I found no way to disable java security completely.
The only way left over at the moment seems to be downgrading back to Java 1.6
Is there any way to disable java security functions completely? I know this is insecure, unprofessional and a very very bad thing to do. But as I said: A completely private network and the administration page of the climate controllers is the only page the Firefox on that system will ever see.
Even a very dirty hack woul be welcome!
Thank you!
Upvotes: 3
Views: 1983
Answers (1)
Reputation: 2739
Just install an old version of Java.
You could use the Java Rule Set to control which hosts run V 1.6 etc. This would allow you to have 1.7 with its security still intact, and 1.6 in whatever state you need.
This would actually give you some decent assurance that only certain sites can run the old versions. You would have to sign this jar though. You can generate and install a cert into java no problem though.
You would get some rules like so:
<rule>
<id location="https://java.com/" />
<action permission="run" version="SECURE" />
</rule>
<rule>
<id location="http://climate.example.com/" />
<action permission="run" version="1.6.0_31" />
</rule>
See here for the above example
I would recommend this to guard against the future. If anyone plugs this device in, or anyone else has to support the application who is unaware of the vulnerable state you left Java in, you might have some serious security issues. This would create a much stronger design pattern and people will have a secure Java available to them.
Upvotes: 2
Related Questions
- How do I avoid checking for nulls in Java?
- How do I read / convert an InputStream into a String in Java?
- Is Java "pass-by-reference" or "pass-by-value"?
- How do I efficiently iterate over each entry in a Java Map?
- How can I create a memory leak in Java?
- How do I generate random integers within a specific range in Java?
- When to use LinkedList over ArrayList in Java?
- What are the differences between a HashMap and a Hashtable in Java?
- How do I convert a String to an int in Java?
- What is the difference between public, protected, package-private and private in Java?