This article describes how to set up Java security for browsers on a Windows 7 system.
Java Security configuration is required to enable you to execute unsigned Java applets.
Java will automatically execute signed applets, but these have to signed using a cryptographic key
contained in a signing certificate, which has to be purchased from a certificate authority and renewed regularly.
This is usually not appropriate for simple applets used for graphical applications,
so security configuration is now inevitable.
If you really want to be ahead of the curve you can first install
JRE 8u20 (Java Runtime Environment version 8) from
https://jdk8.java.net/download.html.
Otherwise skip this step. (The version 8 JRE is required if you intend to use the 3D graphics support of JavaFX.)
Unless you intend to compile your own Java programs, you only need to download the JRE file.
Before downloading, select the Accept License Agreement button.
If you are using the Firefox browser, you should download the 32-bit JRE,
as Firefox does not yet support 64-bit programs.
The JRE file will be named something like jre-8u20-ea-b23-windows-i586-dd_mmm_yyyy.exe
(where dd_mmm_yyyy is the publication date).
Download and execute this file to install the JRE.
(The JRE contains the Java Virtual Machine [JVM], the java console command, and the browser plugins.
It does not contain the Java compiler itself, which requires the full Java Development Kit [JDK]).
This button runs a Java applet itself.
(I presume it is a signed applet, as it does not appear to require security configuration.)
If you see the following prompt, select the button.
(You should probably also set the Do not show this again... checkbox.)
When the applet completes, you should see something like:
If you do not see either of the above, the applet may be being blocked by the browser's plugin controls.
See further at point 13.
To run any further applets, you now need to configure Java security.
This is not done in the browser: it is a Windows operating system configuration.
Go to the Windows Control Panel screen, and select Java.
You should see the following Java Control Panel:
In the Java Control Panel, select the tab.
You should see the following:
Ensure that the Enable Java content in the browser checkbox is set,
otherwise Jave applets will not execute at all.
For earlier Java versions, you may see a security level of Medium.
Do not use this, as it is deprecated. Use the Exception Site List process, described below, instead.
You now have to configure the locations from which you are prepared to accept downloads of Java applets.
The locations are always specified as full or partial URLs.
URLs with schemes http, https, and file are accepted.
(See
The components of a URL, written under my guidance, for an excellent description of the components of a URL.)
If you want to execute applets from the local file system (i.e. your computer's hard drive),
you have to specify a URL with a file scheme.
In these URLs, the scheme is followed by three slashes, and then a drive letter and path.
The file path must contain forward slashes, not the backslashes traditionally used in Windows filenames,
and the final directory name in the path must be terminated with a slash.
For example:
file:///E:/applets/
For http and https scheme URLs, you can specify a hostname without a final slash
to permit downloads from a whole site, or a hostname and directory path with a final slash
to permit downloads from a specific directory and all its subdirectories.
The full documentation for the list is at
Exception Site List.
To configure the Exception Site List, press the button
in the Java Control Panel Security tab.
This should display something like:
Add new URLs by pressing the button.
Type or paste-in the new URL, then press .
For http and file scheme URLs, one of the following warnings is issued: You must accept the risk by pressing the button in each case.
My personal view is that the risk of file and http scheme URLs is no greater than that of https,
as it is just as feasible to deliver a rogue applet over HTTPS.
It is also illogical: anyone who can afford an SSL certificate to run an HTTP server is also likely to be able
to afford a certificate to sign the applets, thereby making the security configuration unnecessary. But those are Oracle's rules.
Once you have created the Exception Site List, it should now be possible to execute applets
(from those named locations) in a browser.
But the browser plugin will still issue additional prompts to confirm that you wish to run the applets.
Even after Java Security has been configured,
you may still not be able to execute applets.
This is because the applets are executed by means of a browser plugin,
and the execution of plugins is now tightly controlled by the browser itself.
This is not part of Java security: it is part of the browser plugin security.
It applies to other plugins like the Adobe's Shockwave Player or Apple's Quicktime Player.
If an applet is blocked in Firefox, you will see a graphic like the following instead of the expected applet:
The clickable line below the Lego piece says Activate Java Platform
followed by the installed Java release.
When you click on this, you should see the following popup in the top left-hand corner of the Firefox window:
Press the button to allow the Java plugin to run,
and to remember the decision for future invocations of the applet.
Under some circumstances it may be necessary to stop and restart Firefox several times
before Firefox accepts the plugin security choice.
When the Java applet finally runs, it will create a Java Console window,
which logs the actions taken by the Java program. This can be ignored and closed if you wish.
Acknowledgements
Oracle® and Java® are registered trademarks of Oracle and/or its affiliates.
Windows® is a registered trademark of the Microsoft Corporation.
Firefox® is a registered trademark of the Mozilla Foundation.
LEGO® is a trademark of the LEGO Group of companies
Other names may be trademarks of their respective owners.
