Patrick

Script Script to defeat Java Application Blocked issues

How to stop the application blocking on entire IP address ranges.

Tags:
  1. Patrick
    Background
    I made a post a few weeks ago on a way to manually defeat Java Application Blocked issues when trying to connect to various iKVM interfaces. Today I re-installed Windows 10 and lost my old exceptions.list file which had gotten pretty big.

    I read Terry Kennedy's comment that the actual list is found in exception.sites here. From that post the plain text file with one line per allowed IP + http or https combo can be found in a Windows directory.

    As a result, I made a little Python loop to just iterate through IP addresses. Nothing fancy.

    I added lines for http and https and then just do /24's (1-254) in each IP range. You can add more or remote lines and change IP ranges as you see fit. You can also loop more than just the last digit following a similar structure. I did leave 255 out since it is usually a broadcast IP.

    How you can do the same

    Step 1 - make a little python file. I call mine byejava.py and this is the contents (I removed a bunch of IP ranges but here is the idea):

    Code:
    for x in range (1,254):
        print ("http://192.168.1." + str(x))
        print ("https://192.168.1." + str(x))
        print ("http://10.0.1." + str(x))
        print ("https://10.0.1." + str(x))
    
    Step 2 - I then, from the command line, run the python script and create my new list
    Code:
    py byejava.py > exception.sites
    I can then move the output exception.sites file and replace the existing exception.sites file here:
    Code:
    \Users\username\AppData\LocalLow\Sun\Java\Deployment\security

    Step 3 - stop adding IPs 1 by 1
    No more Java Application Blocked issues on internal management interfaces. Of course, this does create a big security hole since it effectively disables this security feature on private networks. Still, it saves a TON of time, especially if you are adding new gear and maintaining exception lists across PCs. I have 6 commonly used /24's that get DHCP addresses for IPMI devices. I tried http://10.0.1.* but that did not work so this is an easy way to open up entire address ranges.