Java Rich Internet Applications Guide > Security > Deployment Rule Set
This page includes the following topics:
The Deployment Rule Set feature is for enterprises that manage their Java desktop environment directly, and provides a way for enterprises to continue using legacy business applications in an environment of ever-tightening Java applet and Java Web Start application security policies.
Java applets and Java Web Start Applications, known collectively as Rich Internet Applications (RIAs), are accessed from a web server through a browser. To protect the user and minimize the possibility that a RIA was compromised, security checks are performed when a RIA is started, and the user is prompted for permission to run the RIA. The Deployment Rule Set feature enables an enterprise to establish a whitelist of known applications. Applications on the whitelist can be run without most security prompts, however, the following prompts are not suppressed:
Rules for deployment are defined in an XML file and packaged in a signed JAR file. The rules are tested sequentially until one matches the RIA. Depending on the action assigned to the rule, the RIA is then run without security prompts, blocked from running, or run with default processing that shows any security prompts that are applicable. If no rules are matched, then default processing is used. The rules also provide the ability to specify the version of the JRE that is used to run the RIA and suppress the notification of out-of-date JREs.
An active rule set that is installed on the system can be viewed from the Security tab of the Java Control Panel. See the Security section of Java Control Panel for more information.
The Deployment Rule Set feature requires the new Java Plug-in (available since Java SE 6 Update 10). Use of the old Java Plug-in is not supported. If a deployment rule set is installed, usage of the old plug-in is blocked for all RIAs.
Note: The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment. If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java.
The rule set is an XML file that must be named ruleset.xml
. Use any text editor to create this file.
Define the rules that you need to run or block RIAs for your organization. See Java Deployment Rule Set DTD for the syntax of the rule set. Unknown elements or attributes are ignored. Valid elements are described in the following table.
Element | Description | Attributes |
---|---|---|
|
Top-level element of the policy file. The The valid child element is |
|
|
Identifies a RIA or set of RIAs and the action taken. A When a RIA has artifacts that are signed with a different certificate or that are in a different location, ensure that the rule set contains rules for all artifacts of the RIA. For mixed code cases, which are calls between JAR files with different permission levels or calls from JavaScript code to privileged Java code, see Set Up Rules for Mixed Code for additional information. The valid parent element is |
None |
|
Identifies the RIA or set of RIAs to which the rule applies. To be considered a match, the RIA must match all attributes and child elements present. If no attributes or child elements are present, then the rule matches all RIAs. If the action for a rule is The valid parent element is |
|
|
Identifies the certificate used to sign the RIA. The The valid parent element is |
|
|
Defines the action taken for any RIA that matches the rule. The valid parent element is |
|
|
Message shown to the user if the RIA is blocked. Use only plain text for the message, HTML tags and other special formatting are not supported. If this element is not present, then a default message is shown. To support multiple locales, include a If the To ensure that the dialog box that shows the message fits the screen, keep the message under 1024 characters and test for all locales provided. The valid parent element is |
|
See Examples for some sample rule sets.
If the rule set is invalid, then an error that describes the problem is shown and all RIAs are blocked. Either the ruleset.xml
file must be corrected, or the DeploymentRuleSet.jar
file must be removed from the deployment directory (see Package and Install the Rule Set for the location of this directory) before RIAs can be run. If a rule set is reported as invalid, then check for the following problems based on the error you received:
run
has no selection criteria provided and therefore matches all RIAs. If the DeploymentRuleSet.jar
file is removed, RIAs are handled by the default deployment process.
If you need to make calls to your RIA from JavaScript code, then apply the following guidelines to prevent the calls from being blocked:
If the rule set contains a rule with the action of run
that matches your RIA, then the rule set must also contain a rule with the action of run
that matches the location of the JavaScript code.
If the rule set contains a rule with the action of default
that matches your RIA, or no rule matches your RIA so default processing is used, then one of the following must be true:
run
that matches the location of the JavaScript code.default
that matches the location of the JavaScript code.If the JavaScript code is calling privileged code and you want to suppress mixed code warnings, see Set Up Rules for Mixed Code.
When you create your rule set, ensure that you have rules for all of the artifacts that are associated with the RIAs. Additional rules might be needed to suppress mixed code security warnings that are generated when calls are made between code with different permission levels, or from JavaScript code to privileged Java code. To suppress the mixed code security warnings, include rules in your rule set based on the following requirements of your RIA:
To make calls between Java code with different permission levels, add a rule with an action of run
that matches the code being called.
For example, the following rule suppresses the mixed code prompt for calls to privileged code located at https://host.example.com/apps
from sandbox code:
<rule> <id location="https://host.example.com/apps"/> <action permission="run"/> </rule>
To call privileged Java code from JavaScript code, add a rule with an action of run
that matches the location of the JavaScript code.
For example, the following rule suppresses the mixed code prompt for calls to privileged Java code from JavaScript code that is located in any page on https://host.example.com
.
<rule> <id location="https://host.example.com/"/> <action permission="run"/> </rule>
If the rule set has no rule with an action of run
or default
that matches the location of the JavaScript code, then calls from JavaScript code are blocked. If you want any applicable security prompts to be shown for calls from JavaScript code, you must define a rule with an action of default
that matches the location of the JavaScript code.
Be aware that the rules shown in this section for suppressing the mixed code prompt also suppress the other security prompts for any RIA that matches the rule. Make sure that your rules are defined in the order needed to provide the control that you want.
If you want to define a rule that uses the certificate hash to match RIAs, you need to obtain the correct string of hexadecimal digits. Follow these steps:
Use the following command to print out the certificate information for your JAR file, replacing myjar.jar
with the name of your JAR file:
keytool -printcert -jarfile myjar.jar | more
At the beginning of the output, find Signer #1
In the Certificate fingerprints
section under Signer #1
, find the line that begins with SHA256
.
The text that follows the SHA256
identifier contains 32 pairs of hexadecimal numbers separated by colons.
Copy the string that follows the SHA256
identifier to a text editor and remove the colons.
The string that you create by removing the colons is the hash value to use for the hash
attribute of the certificate
element.
The rule set defined in the ruleset.xml
file must be packaged in a signed JAR file named DeploymentRuleSet.jar
. The JAR file must be signed with a valid certificate from a trusted certificate authority. For information about creating and signing a JAR file, see the lesson Packaging Programs in JAR Files in the Java Tutorials.
Install the DeploymentRuleSet.jar
file on your users' systems in the following directories:
<Windows-directory>\Sun\Java\Deployment
directory, for example, c:\Windows\Sun\Java\Deployment
. /etc/.java/deployment
directory./Library/Application Support/Oracle/Java/Deployment/
directory.To view the active rule set, see the Security section of Java Control Panel.
The Deployment Rule Set feature enables RIAs to run without notifying users of potential security risks. Review the following security considerations to be aware of the risks of using a rule set, and follow any recommendations provided:
The location
attribute of the id
element is compared to the location of the following files:
If matched, then all of the content in the HTML file or JNLP file is considered trusted. However, if the web site that hosts the file is vulnerable to cross-site scripting attacks, malicious content could be injected into the HTML file or JNLP file.
For applets that use JNLP, the location of the HTML file is not checked, so the applet could potentially be started from anywhere.
If the location
attribute is not used to match a rule to a RIA, then the HTML file or JNLP file that is used to start the RIA could be compromised. Use of the location
attribute is recommended.
When a path is included in the location
attribute, avoid using complex paths or multi-byte characters, if possible. The path is case sensitive and UTF-8 encoding is assumed. Security exceptions occur when any unsupported characters, decoding errors, or overlong encoding is encountered. If the web server, file system, or browser normalizes the path differently, a rule based on the location
attribute could return unexpected results.
A blocking rule for a specific URI is not intended to be a robust security enforcement mechanism. For example, a rule established with a domain name can be bypassed if a user uses the IP address instead. The recommended practice is to have a final rule in your rule set with no identifiers and an action of block. Define the rules that you need to run RIAs without security prompts or with default processing, and let all other RIAs be matched by the final rule, which blocks them from running.
Use of the HTTPS protocol is recommended for all locations.
The order of the rules in the deployment rule set is critical. Rules are processed sequentially from the beginning of the file. When a match is found, no further rules are processed. Review your final rule set and look at both positive and negative cases to ensure that the rules cover the RIAs that you plan to manage without allowing matches to unknown RIAs.
Rules are required for all artifacts of the RIA, such as multiple JAR files and JNLP extensions. Be careful when defining a rule for an artifact so that you do not inadvertently allow other RIAs that match the rule to run.
Deployment rules allow RIAs to run with old versions of the JRE when needed for compatibility, however, older versions might have known security issues. Use the latest JRE whenever possible, and set the version
attribute to SECURE
or SECURE-version
. If an older version of the JRE must be used, make any rule that requests the old version as restrictive as possible to limit the RIAs that match the rule and run with the old version. Use of all of the identifiers–location, title, and certificate hash–is recommended in this case.
If a rule with an action of run
exists for the RIA, the RIA is run even if the certificate used to sign the RIA is expired.
The following rule set allows all RIAs from https://host.example.com/
to run without security prompts. RIAs from other locations do not match the rule so default processing is used and security prompts are shown as applicable.
<ruleset version="1.0+"> <rule> <id location="https://host.example.com" /> <action permission="run" /> </rule> </ruleset>
To ensure that all RIAs are handled by the rule set, you can provide a final rule that matches any RIA that was not matched by a previous rule. The action for this rule must be either block
or default
. The following rule set allows all RIAs from https://host.example.com:8080
to run without security prompts and blocks all other RIAs.
<ruleset version="1.0+"> <rule> <id location="https://host.example.com:8080" /> <action permission="run" /> </rule> <rule> <id /> <action permission="block" /> </rule> </ruleset>
Rules are processed in the order in which they appear in the rule set. Complex patterns can be defined for matching rules by placing the rules in the correct order. The following rule set allows RIAs from https://host.example.com
to run without security prompts using a secure version of the Java 1.7 platform, but uses default processing for RIAs from https://host.example.com/games
, which shows applicable security prompts. RIAs from other locations do not match either rule, so default processing is used.
<ruleset version="1.0+"> <rule> <id location="https://host.example.com/games" /> <action permission="default" /> </rule> <rule> <id location="https://host.example.com" /> <action permission="run" version="SECURE-1.7" /> </rule> </ruleset>
The following rule set modifies the previous rule set and allows the RIA named Solitaire from https://host.example.com/games
to run with default processing. Other RIAs from https://host.example.com
are allowed to run without security prompts using a secure version of the Java 1.7 platform. All other RIAs are blocked.
<ruleset version="1.0+"> <rule> <id title="Solitaire" location="https://host.example.com/games" /> <action permission="default" /> </rule> <rule> <id location="https://host.example.com" /> <action permission="run" version="SECURE-1.7" /> </rule> <rule> <id /> <action permission="block" /> </rule> </ruleset>
If you want to allow multiple RIAs from multiple locations to run, and all RIAs are signed with the same certificate, you can use the certificate
element to identify the RIAs with one rule instead of creating rules for each location and title. The following rule set allows all RIAs that are signed with the certificate used by Oracle to run without security prompts using a secure version of the Java platform. RIAs from any host ending with example.com
are allowed to run with default processing. All other RIAs are blocked, and a custom message is shown.
<ruleset version="1.0+"> <rule> <!-- allow anything signed with company's public cert --> <id> <certificate hash="794F53C746E2AA77D84B843BE942CAB4309F258FD946D62A6C4CCEAB8E1DB2C6" /> </id> <action permission="run" version="SECURE" /> </rule> <rule> <id location="*.example.com" /> <action permission="default" /> </rule> <rule> <id /> <action permission="block"> <message>Blocked by corporate. Contact J. Smith, smith@host.example.com, if you need to run this app.</message> </action> </rule> </ruleset>