0

When I was on the Allowed Programs window in the firewall, I noticed not one but two line items identically entitled "Java (TM) Platform SE binary."

One of them was checkboxed only Home/Work (Private), and the other one was checked only on Public.

My first question was why is one of these checked on Public? Why does either one of these need to be publically accessible? I wasn't really thinking about the consequences of deleting it, but ended up deleting the line item that had been checked to Public, thinking, Well (a) they look like dupes (they're both called "Java (TM) Platform SE binary"), but (b) one of them is set to public which kind of seems unsafe, so I'll just delete that one entirely.

Now I'm wondering if both of the line items should be there. One of the reasons I'm wondering is because when I look at [Details] of the only remaining line item, I see that it points to C:\program files\java\jdk1.6.0_22\bin\javaw.exe and now I'm wondering if the other line item pointed to something other than javaw.exe.

Does anybody else see a configuration that could clear things up for me? Thanks for any help and advice.

UPDATE: I just thought of this. The other line item might have been tuned to Public because it's a communicating with Oracle for updates (like those notices that every couple of months or so appear at the lower right menu tray saying there's a new version of Java do you want to install?). Can any Windows 7 user with Java SE tell me if they see two line items each saying "Java (TM) Platform SE binary" in the firwall Allowed Programs pane, and tell me what the other .exe besides javaw.exe is?

Thanks again, all.

After doing some more Java-based work, I discovered that extra SE binary line item is added dynamically by the OS into the Allowed Programs list under some circumstances. What I had originally eliminated from the list was re-added (both are javaw.exe) and I'm confident that things are the way they should be now.

user33666
  • 367

1 Answers1

1

In Windows, JRE has two commands for running Java applications: java.exe for console and javaw.exe for GUI programs. (This is needed because of the "graphical vs console" distinction in Windows.) They work exactly the same way, but if you run the console version, java.exe, Windows will automatically open a console window for it (if it doesn't already have one).

The reason you have both in your firewall's configuration is simple: two Java-based programs have requested access, one of which was using GUI mode and the other not.

One big downside of bytecode and interpreted language runtimes is that they all appear to the OS as the same process. All Java programs run as java.exe (or javaw.exe), all Python programs run as /usr/bin/python, all Perl programs run as perl.exe, and so on. (On Windows, an exception is Microsoft .NET runtime, which uses the same .exe format and is able to retain process identity.)

From the firewall point of view, this makes application-based filtering useless, because you cannot assign trust to a specific application but only to the entire runtime (and all applications that run through it).

In Windows XP, I have removed both Java entries and re-added them as port-based rules. Since XP's firewall only handles incoming connections, I'm not sure if the same would work in Windows 7, but you should try it. (Allowing outgoing connections to java.exe is, IMHO, okay.)

grawity
  • 501,077