After update Java to Java 8 update 25
, the Medium security level has been removed from the Java Control Panel. I am a TA and need to browse many sites from the students. These sites contain Java Applet and they are just different in ports, such as 1.1.1.1:8001
, 1.1.1.1:8002
, 1.1.1.1:8003
and so on.
Now each time I open the page of one student, the Java Applet is disabled because of the security level. After adding http://1.1.1.1:8001
to the Exception Site List
, I can run the applet on 1.1.1.1:8001
successfully. However it does not support wildcard. So do I need to add all the sites one by one by hands? I believe that is very painful!
Any help is appreciated! Thanks very much!
-
The Java Applet I believe only handles the security when your using Internet Explorer. You can always use a different browser if you want to change your usage habits.– RamhoundCommented Dec 2, 2014 at 11:59
-
@Ramhound Sorry, can't understand what you mean. I think this is not related to browsers.– tamlokCommented Dec 2, 2014 at 12:38
-
You mean the Java Control Panel. I mention the fact that only controls the integration with Internet Explorer for a reason. Firefox and Chrome handle Java security permissions differently.– RamhoundCommented Dec 2, 2014 at 12:51
2 Answers
From Oracle.com » Exception Site List
Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, https://www.example.com and http://www.example.com.
A port number is required only if the default port is not used.
This means you are correct that there is no other way then adding each site:port
one by one.
But you can use a deployment rule set
I'll summarize the steps but you have to read the full guide anyway
Create an ANSI encoded text file and name it
ruleset.xml
Build your content and add any
site:port
you need. It seems wildcards are allowed here.<ruleset version="1.0+"> <rule> <id location="http://1.1.1.1:*" /> <action permission="run" /> </rule> <rule> <id /> <action permission="block" /> </rule> </ruleset>
Download the Java JDK, copy the ruleset.xml file to the bin folder of the JDK install location, where the jar.exe file is.
Open a command prompt and cd to the location of jar.exe and ruleset.xml. Type in this command:
jar -cvf DeploymentRuleSet.jar ruleset.xml
Now you need to sign the deployment ruleset. For that, you need a java keystore with a cert in it that is trusted on your computer.
One way to generate a keystore is to use keytool.exe which is in
C:\Program Files\Java\jre6\bin
together with this commandkeytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
To extract the certificate from the keystore, use
keytool -exportcert -keystore keystore.jks -alias selfsigned -file Cert.cer
And then you can install this cert into the trusted root CA (Guide)
If your certificate has an extension of
.pfx
, just rename it to.p12
Use keytool to import the
.p12
fileKeytool -importkeystore -deststorepass password -destkeystore Keystore.jks -srcKeystore Cert.p12 -srcstoretype pkcs12 -srcstorepass password
You’ll want to change the -srcstorepass to the password of your certificate
You should get something that says "Entry for alias…". After the word alias is the alias of the keystore, which you will need. (long GUID)
Now that you have a keystore with a trusted certificate in it, you can use that to sign the jar file.
To do this, open a command prompt in the jdk bin folder and type:
jarsigner -verbose -keystore keystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar selfsigned
Change "selfsigned" to the alias you had from step 7
Now, put the
DeploymentRuleSet.jar
file in one of these directories:- Windows:
c:\Windows\Sun\Java\Deployment.
- Mac, Linux, Unix:
/etc/.java/deployment
- Windows:
That's it. Easy, huh?
You can verify if the DeploymentRuleSet is in place by going to the Java console in control panel and clicking the security tab. Click on “View the active Deployment Rule Set”
Sources
- http://ephingadmin.com/administering-java/
- http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
Please note that
If an active deployment rule set is installed on the system, the deployment rules take precedence over the exception site list.
-
Hi, thanks very much! But I don't understand step 6 and 7. Where is this certificate file? I can't find the
.p12
file.– tamlokCommented Dec 3, 2014 at 1:50
Dont think you can use wildcard for the port number in the ruleset. According to the Oracle documentation, the port number must match exactly.