Yes, this is true. This blog entry from Oracle has the details.
As I understand it, you have three options for continuing to work:
- Sign your app with a trusted cert
- Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
- You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
- Have your end users configure their machines to trust your app despite it being self-signed
- via deployment rule sets (Oracle’s intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
- via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
- Have your users lower their security slider from High (the default) to Medium
See also my question about obtaining pre-release versions of these updates to test with.