Page tree
Skip to end of metadata
Go to start of metadata

Note:

This tutorial contains information from the following sources:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
https://blogs.oracle.com/java-platform-group/entry/deployment_rule_set_by_example

Please refer to these resources for further information regarding Deployment Rule Sets and their elements.

 

Recent changes to the Java web browser plugin security model may result in users receiving security prompts when they attempt to run Java applets in their web browser.

An example of this prompt can be seen below:

 

Clicking the "Do not show this again for this app and web site." checkbox should prevent this dialog from appearing in future.  However, System Administrators may find it desirable for these prompts to not appear at all.

These dialogs can be avoided by creating and implementing a Deployment Rule Set (available since JRE 7 update 40.)

 

Deployment Rule Set Creation

Note:

This section focuses specifically on creating a rule that matches a location. A location matching rule is required to permit EditLive to access its Javascript APIs.

For alternate rule configurations, please refer to the following documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html#define

 

The Rule Set is defined an XML file that must be named "ruleset.xml".

The contents of this XML file should look similar to the following example:

<ruleset version="1.0+"> 
  <rule> 
    <id location="http://YOUR_DOMAIN_HERE" />  <!-- For example: <id location="http://*.ephox.com" /> -->
    <action permission="run" /> 
  </rule>
 
  <rule> 
    <id> 
      <certificate algorithm="SHA-256" hash="794F53C746E2AA77D84B843BE942CAB4309F258FD946D62A6C4CCEAB8E1DB2C6"/> <!-- Oracle's public certificate hash. Having this will allow things like the Java.com secure version check applet. --> 
    </id> 
    <action permission="run" /> 
  </rule>
</ruleset>

 

This sample Rule Set contains 2 rules:

  1. Allow applications from the location "http://YOUR_DOMAIN_HERE" to run.  This address should be modified to match the location that EditLive! is being accessed from.  For example: "*.ephox.com".
  2. Allow applications signed with the Oracle public certificate to run.

Additional rules can be defined as required.  For information regarding the location definition, please refer to the following:

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html#define

This example can be downloaded here: sample.zip

Create + Sign Deployment Rule Set JAR

Once the Rule Set has been created, the ruleset.xml file must be packed into a signed JAR file for deployment.

To create the JAR, open a shell and run the following commands:

cd <ruleset.xml_directory>
jar -cf DeploymentRuleSet.jar ruleset.xml

The exact procedure for signing the JAR will vary between users.  Please refer to the following documentation for more information regarding creating and signing JAR files:

http://docs.oracle.com/javase/tutorial/deployment/jar/index.html

Installing the Deployment Rule Set JAR

The signed JAR must be deployed to the client's environment for the Rule Set to take effect.  The installation location is operating system dependent.

For information regarding the installation location of the Rule Set JAR, please refer to the following:

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html#package

Verify the Deployment Rule Set JAR Installation

Once installed to the appropriate location, the Security tab in the Java Control Panel should show a "View the active Deployment Rule Set" link, as shown below: 

 

Clicking this link will open an information dialog:

If the Location value matches the Rule Set that was installed previously and the displayed text matches the rule, the installation has been completed successfully.

 

Upon opening the page with the applet, the JVM will read the Rule Set:

 

The JVM will then match the rule to the running instance of EditLive!:

EditLive! should now run without showing any security dialogs.

  • No labels