Java experts working for you.

Subscribers click here.

How-To Guides

Issue Tracker

Need more help? Learn about
Oracle Java Support subscriptions

How to Setup a Test Framework for Deployment Rule Sets (DRS)


Applies To

Java SE JDK and JRE - Version 7 and later
All Platforms


Introduction

Java SE 7 update 40 introduced Deployment Rule Sets (DRS). This is a feature for enterprises to manage their Java desktop environment directly. DRS provides a way for enterprises to continue using legacy business applications in an environment of ever-tightening Java applet and Java Web Start application security policies.

For additional information, refer to the Deployment Rule Set section of the JDK 8 Deployment Guide.

Note: This document is updated as of Java SE 7 update 45 with a default security slider setting of “High.”

Disclaimer: This sample code is provided for educational purposes only. It is not supported by Oracle Support. It has been tested internally, however we do not guarantee that it will work for you. Ensure that you run it in a safe test environment. Additionally, the code and object names used in this article represent fictitious sample names that make up an example. Any similarity to actual code is purely coincidental and not intended in any other manner.


Procedure for Setting-Up a Test Framework for DRS

This document uses a Hello World example with complete code and step by step instructions, to illustrate how to set up a test framework for deployment rule set. Here is the source code of the main applet, HelloWorld.java:

import javax.swing.JApplet;
import javax.swing.SwingUtilities;
import javax.swing.JLabel;

public class HelloWorld extends JApplet {
    public void init() {
        try {
            SwingUtilities.invokeAndWait(new Runnable() {
                public void run() {
                    String msg = System.getProperty("java.version");
                    JLabel lbl = new JLabel("Hello World " + msg);
                    add(lbl);
                }
            });
        } catch (Exception e) {
            System.err.println(e);
        }
    }
}

Here is the sample HelloWorld.html:

<HTML>
<HEAD>
<TITLE>HelloWorldSimpleApplet</TITLE>
</HEAD>
<BODY>
<P>HelloWorld</P>
<applet
code = "HelloWorld" archive = "HelloWorld.jar width = "200" height = "100">
</applet>
</BODY>
</HTML>

Here is Manifest.txt (replace “Codebase” with your own customized location):

Codebase: <URL>
Application-Name: HelloWorld
Permissions: all-permissions

Here are the sample commands to create the applet jar file:

javac HelloWorld.java
jar cvf HelloWorld.jar Manifest.txt HelloWorld*.class

Note: HelloWorld generates two class files: HelloWorld.class and the anonymous HelloWorld$1.class.

Next, you need to set up a web server for testing. There are many choices for web server. One example is a Tomcat web server.

We are using a Windows OS as the example platform. Once you have installed the web server, the simplest way to get started is:

  1. Set the environment variable <JRE_HOME> to the top level installation directory of the JRE.
  2. Set the environment variable <CATALINA_HOME> to the top level installation directory of tomcat.
  3. Run the <CATALINA_HOME>%\bin\startup.bat script.
  4. Put the html and applet contents under the default <CATALINA_HOME>%\webapps\<ROOT>
  5. Cerify by loading from http://<HOST>:<PORT>/…

Once you have deployed the HelloWorld.html in your web server, you can begin testing. When you load HelloWorld.html, you will get a prompt about the applet being unsigned. To avoid this prompt without signing the applet, you can setup an “allowlist” using a Deployment Rule Set. Although you don’t necessarily need to sign the applet, you do have to properly sign the DRS.

Here is the sample ruleset.xml:

<ruleset version="1.0+">
  <rule>
    <id location="<CODEBASE_URL>/" />
    <action permission="run" />
  </rule>
  <rule>
    <id />
    <action permission="block" />
  </rule>
</ruleset>

The above rules allow Rich Internet Applications (RIAs) to run from the source location that matches the <CODEBASE_URL>, but block anything else.

Create the DeploymentRuleSet.jar as follows:

jar -cvf DeploymentRuleSet.jar ruleset.xml

Next step is to sign the DeploymentRuleSet.jar.

Refer to these blog posts for ways to sign code:

Note: JAR files should only be signed once. If there is a problem with the jar file after it has been signed, do not re-sign it. Once the cause of the problem is determined, make a new JAR file from the original files contained in the jar file and sign it. The procedure for DeploymentRuleSet.jar is straightforward: extract ruleset.xml

Normally, you would purchase a code signing certificate from a trusted CA to sign your applet.

Next, create a new directory, <WINDIR>\sun\java\deployment, and copy the DRS JAR file into it. To verify, bring up the Java Control Panel, select the “Security” tab, click on “view the active Deployment Rule Set”, and verify the content. When you reload the HelloWorld.html, you won’t see the security prompt even though your applet is unsigned because it has been included in the “allowlist”.

The next example uses DRS to block an application that is not running a specific JRE. Here’s a modified HelloWorld.html which specifies the applet be run on Java SE 6 update 65. The machine also has 6u45 and 7u45 installed.

<HTML>
<HEAD>
<TITLE>HelloWorldSimpleApplet</TITLE>
</HEAD>
<BODY>
<P>HelloWorld</P>
<applet
  code = "HelloWorld" archive = "HelloWorld.jar width = "200" height = "100">
  <PARAM name="java_version" value="1.6.0_65">
</applet>
</BODY>
</HTML>

Build the HelloWorld.jar with the javac command from Java SE 6. The applet will run when you load the HelloWorld.html. Next, follow the previous instructions to create, sign, and install the DeploymentRuleSet.jar with this ruleset.xml:

<ruleset version="1.0+">
  <rule>
    <id location="<CODEBASE_URL>/" />
    <action permission="run" version="1.6.0_45" />
  </rule>
  <rule>
    <id />
    <action permission="block" />
  </rule>
</ruleset>

The above rules allow RIAs to run from the source location that matches *.us.oracle.com only if JRE is 1.6.0_45 is installed, but block anything else.

When you load HelloWorld.html, your applet will be blocked because the installed JRE is 6u65.

Screenshot of a blocked applet warning.

Note: The Deployment Rule Set feature requires the new Java Plug-in (available since Java SE 6 Update 10). Use of the old Java Plug-in is not supported. If a deployment rule set is installed, usage of the old plug-in is blocked for all RIAs.

See also Document 1616017.1 “How to Unblock and Remove Security Prompts with Java Applets” on My Oracle Support.

Here is a parallel example for Java Web Start:

In this example, DRS is used to direct a Web Start application to run with 1.6 JRE, in a system where 1.8 and 1.6 JRE are installed.

To clear all java caches:

% javaws -uninstall

Compile the following Web Start application with 1.6 javac

HelloWorldws16.java:

import javax.swing.*;
public class HelloWorldws16 extends JFrame {
  public static void main(String args[])
  {
    JFrame frame = new JFrame();
    frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
    String msg = System.getProperty("java.version");
    JPanel p = new JPanel();
    p.add(new JButton("Hello world from "));
    p.add(new JButton(msg));
    frame.getContentPane().add(p);
    frame.setSize(200,200);
    frame.setVisible(true);
  }
}

manifest.txt:

Codebase: <URL> is a placeholder. Replace this entry with your specific Codebase URL.

Codebase: <URL>
Application-Name: HelloWorldws16
Permissions: all-permissions
Main-Class: HelloWorldws16.class

Create jar with the above manifest:

% jar cfvm HelloWorldws16.jar manifest.txt HelloWorldws16.class

Next, sign the HelloWorldws16.jar (with your customized signing procedure)

HelloWorldws16.jnlp

Codebase: <URL> is a placeholder. Replace this entry with your specific Codebase URL.

Note: j2se version=“1.6.0_141”, the jnlp request to use a specific 1.6 JRE

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="[URL]"
href="HelloWorldws16.jnlp">
<information>
<title>HelloWorldws16 jnlp</title>
<vendor>Java Support</vendor>
</information>
<resources>
<!-- Application Resources -->
<j2se version="1.6.0_141"
href="http://java.sun.com/products/autodl/j2se"/>
<jar href="HelloWorldws16.jar"
main="true" />
</resources>
<security>
<all-permissions/>
</security>
<application-desc
name="HelloWorldws16"
main-class= "HelloWorldws16"
width="300"
height="300">
</application-desc>
<update check="background"/>
</jnlp>

If you load the jnlp file at this point, the 1.8 JRE will be use by default instead of 1.6 JRE.

ruleset.xml:

The <URL> in the location parameter is a placeholder. Replace this entry with your specific location.

<ruleset version="1.0+">
<rule>
<id location="<URL>/>
<action permission="run" version="1.6+" />
</rule>
</ruleset>

Create DeploymentRuleSet.jar

% jar -cvf DeploymentRuleSet.jar ruleset.xml

Next, sign the DeploymentRuleSet.jar (with your customized signing procedure)

Create %WINDIR%\sun\java\deployment if it does not exist already. Copy the signed DeploymentRuleSet.jar to %WINDIR%\sun\java\deployment

Load HelloWorldws16.jnlp in your browser. You will see the application displaying 1.6.0_141 as the version of JRE in use. deployment` if it does not exist already.


Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)