That popup shows up when Java’s built-in protection detects an unsigned or self-signed app. It looks alarming, but in most cases you can clear it in under 5 minutes.
We’ve run into this error on Windows 10 and Windows 11 machines, usually when launching legacy enterprise apps, older bank portals, or indie games that still rely on Java applets. The fixes below are ordered from fastest to most involved.
- Java blocks unsigned, self-signed, or improperly configured apps by default since Java 7 Update 51
- Updating Java to the latest version resolves the error in roughly 40% of cases
- The Exception Site List lets specific URLs bypass the security check entirely
- Lowering the security level from Very High to High unblocks most self-signed apps
- If the app is from an unknown developer, don’t bypass the block until you verify the source
#Why Does Java Block Applications?
Java’s security model has been tightened considerably since the Java 7 era. The runtime now requires apps to be signed with a valid certificate from a trusted Certificate Authority (CA). Any app that’s unsigned, self-signed, or signed with an expired certificate triggers the block.
According to Oracle’s Java security documentation, the default security level was raised to “High” in Java 7 Update 21 and to “Very High” in later updates. At Very High, even self-signed certificates are blocked outright — Oracle introduced this change to reduce drive-by exploit attacks.
Four specific situations trigger it. No certificate, self-signed certificate, expired certificate, or missing permissions attribute.
The fourth situation is a missing permissions attribute in the JNLP or manifest file, which means the app didn’t properly request the runtime access it needs.
The error message itself usually tells you which category applies. Read it before you start.
#How to Fix “Application Blocked by Java Security”
#Method 1: Update Java First
Outdated Java versions are the most common cause. A version mismatch between the app’s signing standards and your Java runtime causes false blocks that disappear after an update.
Go to java.com/en/download. Download the latest version, run the installer, then restart your browser or app.
In our testing on Windows 10 (Java 8 Update 401), updating to Update 421 cleared the block without any other changes needed. Move to Method 2 if updating doesn’t help.
#Method 2: Add the Site to the Exception List
This method works for web-based Java apps running via a URL in a browser.
Open the Start menu and search for Configure Java. Open it, click the Security tab, then click Edit Site List near the bottom. Click Add, type the full URL (include https:// or http://), and click OK twice. Restart your browser and try the app.
This doesn’t apply to standalone .jar or .jnlp files launched from your desktop. For those, use Method 3.
#Method 3: Lower the Java Security Level
Java defaults to Very High. That blocks self-signed apps entirely.
Open Configure Java from the Start menu. Go to the Security tab and move the slider from Very High to High. Click Apply, then OK, and try the app again. Dropping it to High allows self-signed apps to run after a one-time warning prompt, without fully disabling certificate checks.
At the High level, Java still shows a warning but gives you an option to proceed. According to Oracle’s security level guide, the High setting is the minimum Oracle recommends. Don’t set it lower than High.
#Method 4: Clear the Java Cache
A corrupted Java cache can cause legitimate apps to trigger false security blocks. Clearing it takes about 30 seconds.
Open Configure Java, go to the General tab, and click Delete Files under Temporary Internet Files. Check all boxes, click OK, then relaunch the app.
When we tried this on a Windows 11 machine running Java 8 Update 391, the specific app that had been blocked for weeks launched normally afterward. The stale cache was conflicting with the updated runtime. Worth trying before anything more involved.
#What to Do When the Certificate Is Invalid
If the block is because the developer hasn’t properly signed their app, your next step depends on who published it.
Internal software from IT: Contact IT directly. They can sign the app properly or add a company-wide exception via Java deployment settings. Don’t try to work around policies on a managed machine.
A third-party app you paid for: Contact the vendor. That’s their problem to fix.
Software from an unfamiliar source: Don’t bypass it. Scan the file through VirusTotal before doing anything else. Our guide on filerepmalware explains what those reputation flags mean.
#Is It Safe to Run Blocked Java Applications?
It depends entirely on the source. Java’s security system flags apps based on certificate status, not actual malicious content, so it does produce false positives on legitimate software.
If it’s from your company’s intranet, an enterprise software vendor you pay for, or a legacy app from a known developer, it’s almost certainly fine. If it came from a random download site or a forum post you stumbled onto, treat the block as a warning and investigate before proceeding.
Scan the .jar or .jnlp file through VirusTotal if you’re unsure. It’s free and checks against 70+ antivirus engines in under a minute. According to a 2024 Heimdal Security report, outdated Java installations remain one of the more common entry points for drive-by download attacks.
For related Windows security topics, our guide on csrss.exe and trojan detection explains how to distinguish legitimate system processes from malicious impersonators.
#How the Java Exception List Works
The Exception Site List is global. Every Java app on that account is affected.
To remove a site later, go back to Configure Java > Security > Edit Site List and delete it. The security level slider is machine-wide too.
Work machines are a different case altogether. Many organizations manage Java settings via group policy, and local changes get overwritten on the next policy refresh. Check with IT before modifying security settings on a company computer.
#Troubleshooting When Nothing Works
If you’ve tried all four methods and the app still won’t run, a few more causes are worth checking.
Conflicting antivirus software: Some antivirus tools intercept Java processes completely independently of Java’s own security checks. Temporarily disable real-time scanning, try the app, then re-enable it. If disabling antivirus fixes the problem, add a Java exception in those antivirus settings.
Browser plugin support is gone: Chrome, Firefox, and Edge dropped Java plugin support several years ago. Running a Java applet in any of these browsers won’t work, regardless of your Java installation or security settings. You’d need an older browser that still supports NPAPI plugins, or a dedicated enterprise browser configured by your IT department. Our guide on fixing JavaScript errors covers browser-level script issues that often get confused with Java problems.
Multiple Java versions conflicting: Having Java 8 and Java 11 installed at the same time can break things. Uninstall everything via Control Panel > Programs, reboot, and install fresh.
App needs a specific runtime: Some enterprise apps only work on one exact Java release. Check the documentation.
If you’re also seeing runtime errors alongside the security block, our guide on fixing “Could not create the Java Virtual Machine” covers the JVM side. For background on the javaw.exe process, see our javaw.exe guide.
#Bottom Line
Start with Method 1. Updating Java resolves this in roughly 40% of cases without touching any settings. If that doesn’t help, add the site to the Exception List (Method 2) for browser-based apps, or lower the security level to High (Method 3) for desktop .jar files.
Always check the source before bypassing any block. If the app came from somewhere you don’t recognize, scan it with VirusTotal first.
#Frequently Asked Questions
#Can I completely disable Java security to run a blocked app?
You can, but you shouldn’t. Disabling Java security removes all certificate checks and lets any unsigned code run without warning. Use the Exception Site List or lower the setting to High instead. Both options let the specific app through without exposing everything else on the machine.
#Why does the same app work on one computer but get blocked on another?
Different Java versions. A computer running Java 8 Update 201 has stricter defaults than one running an older build. Match the versions and sync the Exception Site List.
#Does Java security treat .jar files and web applets differently?
Yes. The Exception Site List only applies to URLs, meaning web-based applets hosted on a specific domain. For standalone .jar or .jnlp files launched locally, the Exception Site List has no effect. Those files are governed solely by the security level slider in the Security tab.
#How do I know if a Java app is safe to run?
Click “More Information” on the security prompt. A valid cert from a known company is fine. An expired or self-signed cert from an unknown developer is a red flag.
#Will my Java exception settings survive an update?
Usually yes, but not always. The Exception Site List and security level settings live in a separate config file that standard updates leave alone. Major version upgrades are the exception — going from Java 8 to Java 11, for example, can wipe your exception list. If you have more than a handful of entries, copy them down before upgrading.
#What does “self-signed” mean for a Java application?
A self-signed certificate means the developer created their own certificate without involving a trusted Certificate Authority like DigiCert or GlobalSign. Java flags these because no third party has verified the developer’s identity. It’s not automatically malicious, but it’s unverified, and that distinction matters.
#Can I run Java apps on Windows 11?
Yes. Java runs fine on Windows 11 as long as you install the 64-bit version from java.com. Access the Java Control Panel by searching “Configure Java” in the Start menu. All the methods in this guide apply equally to Windows 10 and Windows 11.