Documentation Contents
Java Platform, Standard Edition Deployment Guide
Contents    Previous    Next

26 Deployment Rule Set

The Deployment Rule Set feature is for enterprises that manage their Java desktop environment directly, and provides a way for enterprises to continue using legacy business applications in an environment of ever-tightening Java applet and Java Web Start application security policies. This feature also provides the ability to control the version of the JRE that is used for specific applications.

Java applets, Java Web Start Applications, and JavaFX applications embedded in a browser, known collectively as Rich Internet Applications (RIAs), are accessed from a web server through a browser. To protect the user and minimize the possibility that a RIA was compromised, security checks are performed when a RIA is started, and the user is prompted for permission to run the RIA. The Deployment Rule Set feature enables an enterprise to establish a whitelist of known applications. Applications on the whitelist can be run without most security prompts, however, the following prompts are not suppressed:

Rules for deployment are defined in an XML file and packaged in a signed JAR file. The rules are tested sequentially until one matches the RIA. Depending on the action assigned to the rule, the RIA is then run without security prompts, blocked from running, or run with default processing that shows any security prompts that are applicable. If no rules are matched, then default processing is used. The rules also provide the ability to specify the version of the JRE that is used to run the RIA and suppress the notification of out-of-date JREs.

An active rule set that is installed on the system can be viewed from the Security tab of the Java Control Panel. See Section 18.4, "Security" in Chapter 18, "Java Control Panel" for more information.

The Deployment Rule Set feature requires the Java Plug-in from Java SE 6 Update 10 or later. If a deployment rule set is installed, usage of the plug-in from earlier releases is blocked for all RIAs.


Note:

The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment. If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java.


This topic contains the following sections:

26.1 Create the Rule Set

The rule set is an XML file that must be named ruleset.xml. Use any text editor to create this file.

26.1.1 Define the Rules

Define the rules that you need to run or block RIAs for your organization. See Section 26.5, "Java Deployment Rule Set DTD" for the syntax of the rule set. If unknown elements or attributes are included in the rule set, warnings are written to the Java Console. The following elements are valid:

See Examples for some sample rule sets.

If the rule set is invalid, then an error that describes the problem is shown and all RIAs are blocked. Either the ruleset.xml file must be corrected, or the DeploymentRuleSet.jar file must be removed from the deployment directory (see Package and Install the Rule Set for the location of this directory) before RIAs can be run. If a rule set is reported as invalid, then check for the following problems based on the error you received:

If the DeploymentRuleSet.jar file is removed, RIAs are handled by the default deployment process. See Chapter 22, "Rich Internet Application Deployment Process" for a description of this process.

26.1.2 Set Up Rules for Calls From JavaScript Code (LiveConnect)

If you need to make calls to your RIA from JavaScript code, then apply the following guidelines to prevent the calls from being blocked:

  • If the rule set contains a rule with the action of run that matches your RIA, then the rule set must also contain a rule with the action of run that matches the location of the JavaScript code.

  • If the rule set contains a rule with the action of default that matches your RIA, or no rule matches your RIA so default processing is used, then one of the following must be true:

    • The rule set contains a rule with the action of run that matches the location of the JavaScript code.

    • The rule set contains a rule with the action of default that matches the location of the JavaScript code.

    • No rule matches the location of the JavaScript code, so default processing is used.

If the JavaScript code is calling privileged code and you want to suppress mixed code warnings, see Set Up Rules for Mixed Code.

26.1.3 Set Up Rules for Mixed Code

When you create your rule set, ensure that you have rules for all of the artifacts that are associated with the RIAs. Additional rules might be needed to suppress mixed code security warnings that are generated when calls are made between code with different permission levels, or from JavaScript code to privileged Java code. To suppress the mixed code security warnings, include rules in your rule set based on the following requirements of your RIA:

  • To make calls between Java code with different permission levels, add a rule with an action of run that matches the code being called.

    For example, the following rule suppresses the mixed code prompt for calls to privileged code located at https://host.example.com/apps from sandbox code:

    <rule>
     <id location="https://host.example.com/apps"/>
     <action permission="run"/>
     </rule>
    
  • To call privileged Java code from JavaScript code, add a rule with an action of run that matches the location of the JavaScript code.

    For example, the following rule suppresses the mixed code prompt for calls to privileged Java code from JavaScript code that is located in any page on https://host.example.com.

    <rule>
     <id location="https://host.example.com/"/>
     <action permission="run"/>
     </rule>
    

    If the rule set has no rule with an action of run or default that matches the location of the JavaScript code, then calls from JavaScript code are blocked. If you want any applicable security prompts to be shown for calls from JavaScript code, you must define a rule with an action of default that matches the location of the JavaScript code.

Be aware that the rules shown in this section for suppressing the mixed code prompt also suppress the other security prompts for any RIA that matches the rule. Make sure that your rules are defined in the order needed to provide the control that you want.

26.1.4 Get the Certificate Hash

If you want to define a rule that uses the certificate hash to match RIAs, you need to obtain the correct string of hexadecimal digits. Follow these steps:

  1. Use the following command to print out the certificate information for your JAR file, replacing myjar.jar with the name of your JAR file:

    keytool -printcert -jarfile myjar.jar | more
    
  2. At the beginning of the output, find Signer #1

  3. In the Certificate fingerprints section under Signer #1, find the line that begins with SHA256.

    The text that follows the SHA256 identifier contains 32 pairs of hexadecimal numbers separated by colons.

  4. Copy the string that follows the SHA256 identifier to a text editor and remove the colons.

    The string that you create by removing the colons is the hash value to use for the hash attribute of the certificate element.

26.2 Package and Install the Rule Set

The rule set defined in the ruleset.xml file must be packaged in a signed JAR file named DeploymentRuleSet.jar. The JAR file must be signed with a valid certificate from a trusted certificate authority. For information about creating and signing a JAR file, see the lesson Packaging Programs in JAR Files in the Java Tutorials.

Install the DeploymentRuleSet.jar file on your users' systems in the following directories:

To view the active rule set, go to the Security tab of the Java Control Panel. See the Section 18.4, "Security" for information on this tab.

26.3 Security Considerations

The Deployment Rule Set feature enables RIAs to run without notifying users of potential security risks. Review the following security considerations to be aware of the risks of using a rule set, and follow any recommendations provided:

26.4 Examples

Example 26-1 allows all RIAs from https://host.example.com/ to run without security prompts. RIAs from other locations do not match the rule so default processing is used and security prompts are shown as applicable.

Example 26-1 Run RIAs from a Single Location

<ruleset version="1.0+">
  <rule>
    <id location="https://host.example.com" />
    <action permission="run" />
  </rule>
</ruleset>

To ensure that all RIAs are handled by the rule set, you can provide a final rule that matches any RIA that was not matched by a previous rule. The action for this rule must be either block or default. Example 26-2 allows all RIAs from https://host.example.com:8080 to run without security prompts and blocks all other RIAs. The default message is shown when a RIA is blocked because no custom message is provided.

Example 26-2 Block Any RIAs Not Matched

<ruleset version="1.0+">
  <rule>
    <id location="https://host.example.com:8080" />
    <action permission="run" />
  </rule>

  <rule>
    <id />
    <action permission="block" />
  </rule>
</ruleset>

Rules are processed in the order in which they appear in the rule set. Complex patterns can be defined for matching rules by placing the rules in the correct order. Example 26-3 allows RIAs from https://host.example.com to run without security prompts using a secure version of the Java 1.7 platform, but uses default processing for RIAs from https://host.example.com/games, which shows applicable security prompts. RIAs from other locations do not match either rule, so default processing is used.

Example 26-3 Rule Order Matters

<ruleset version="1.0+">
  <rule>
    <id location="https://host.example.com/games" />
    <action permission="default" />
  </rule>

  <rule>
    <id location="https://host.example.com" />
    <action permission="run" version="SECURE-1.7" />
  </rule>
</ruleset>

Example 26-4 modifies the previous rule set and requires only the RIA named Solitaire from https://host.example.com/games to run with default processing. Other RIAs from https://host.example.com are allowed to run without security prompts using a secure version of the Java 1.7 platform. All other RIAs are blocked, and a custom message is shown.

Example 26-4 Manage a Specific RIA

<ruleset version="1.0+">
  <rule>
    <id title="Solitaire" location="https://host.example.com/games" />
    <action permission="default" />
  </rule>

  <rule>
    <id location="https://host.example.com" />
    <action permission="run" version="SECURE-1.7" />
  </rule>

  <rule>
    <id /> 
    <action permission="block">
      <message>Blocked by corporate. Contact J. Smith, smith@host.example.com, if you need to run this app.</message>
    </action>
  </rule>
</ruleset>

To allow multiple RIAs from multiple locations to run, and all RIAs are signed with the same certificate, you can use the certificate element to identify the RIAs with one rule instead of creating rules for each location and title. Example 26-5 allows all RIAs that are signed with the certificate used by Oracle to run without security prompts using a secure version of the Java platform. RIAs from any host ending with example.com are allowed to run with default processing. All other RIAs are blocked, and a custom message is shown.

Example 26-5 Manage RIAs Based on Signing Certificate

<ruleset version="1.0+">
  <rule> <!-- allow anything signed with company's public cert --> 
    <id>
      <certificate hash="794F53C746E2AA77D84B843BE942CAB4309F258FD946D62A6C4CCEAB8E1DB2C6" />
    </id>
    <action permission="run" version="SECURE" />
  </rule>

  <rule>
    <id location="*.example.com" />
    <action permission="default" />
  </rule>

  <rule>
    <id />
    <action permission="block">
      <message>Blocked by corporate. Contact J. Smith, smith@host.example.com, if you need to run this app.</message>
    </action>
  </rule>
</ruleset> 

To force the use of a specific JRE, use the force attribute of the action element. This attribute is introduced in the 1.1 version of the Deployment Rule Set. Example 26-6 allows RIAs from https://host.example.com/apps to run without security prompts using version 1.8_20 of the JRE. Any version requested by the RIA is ignored. If version 1.8_20 is not available, the RIA is blocked. All other RIAs are blocked, and a custom message is shown.

Example 26-6 Force the Use of a Specific JRE

<ruleset version="1.1+">
  <rule>
    <id location="https://host.example.com/apps" />
    <action permission="run" version="1.8_20" force="true" />
  </rule>

  <rule>
    <id />
    <action permission="block">
      <message>Blocked by corporate. Contact J. Smith, smith@host.example.com, if you need to run this app.</message>
    </action>
  </rule>
</ruleset> 

26.5 Java Deployment Rule Set DTD

The following example shows the DTD for the version 1.1 of the Deployment Rule Set. Version 1.1 is supported by JRE 8u20 and higher. Version 1.0 is supported by JRE 7u40 and higher. Items introduced after version 1.0 are noted.

<!ELEMENT ruleset (rule*)>
<!ATTLIST ruleset version CDATA #REQUIRED>
 
<!ELEMENT rule (id, action)>
 
<!ELEMENT id (certificate?)>
<!ATTLIST id title CDATA #IMPLIED>
<!ATTLIST id location CDATA #IMPLIED>
 
<!ELEMENT certificate EMPTY>
<!ATTLIST certificate algorithm CDATA #IMPLIED>
<!ATTLIST certificate hash CDATA #REQUIRED>
 
<!ELEMENT action (message?)>
<!ATTLIST action permission (run | block | default) #REQUIRED>
<!ATTLIST action version CDATA #IMPLIED>
<!ATTLIST action force (true|false) "false">       <!-- introduced in 1.1 -->
 
<!ELEMENT message (#PCDATA)>
<!ATTLIST message locale CDATA #IMPLIED>
Contents    Previous    Next

Oracle and/or its affiliates Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.
Contact Us