2

After update Java to Java 8 update 25, the Medium security level has been removed from the Java Control Panel. I am a TA and need to browse many sites from the students. These sites contain Java Applet and they are just different in ports, such as 1.1.1.1:8001, 1.1.1.1:8002, 1.1.1.1:8003 and so on.
Now each time I open the page of one student, the Java Applet is disabled because of the security level. After adding http://1.1.1.1:8001 to the Exception Site List, I can run the applet on 1.1.1.1:8001 successfully. However it does not support wildcard. So do I need to add all the sites one by one by hands? I believe that is very painful!
Any help is appreciated! Thanks very much!

tamlok
  • 143

2 Answers2

3

From Oracle.com » Exception Site List

Wildcards are not supported. If only a domain is provided, any RIA from that domain is allowed to run. A domain can have multiple entries, for example, https://www.example.com and http://www.example.com.

A port number is required only if the default port is not used.

This means you are correct that there is no other way then adding each site:port one by one.

But you can use a deployment rule set

I'll summarize the steps but you have to read the full guide anyway

  1. Create an ANSI encoded text file and name it ruleset.xml

  2. Build your content and add any site:port you need. It seems wildcards are allowed here.

    <ruleset version="1.0+">
        <rule>
        <id location="http://1.1.1.1:*" />
        <action permission="run" />
    </rule>
    <rule>
        <id />
        <action permission="block" />
    </rule>
</ruleset>

  3. Download the Java JDK, copy the ruleset.xml file to the bin folder of the JDK install location, where the jar.exe file is.

  4. Open a command prompt and cd to the location of jar.exe and ruleset.xml. Type in this command:

    jar -cvf DeploymentRuleSet.jar ruleset.xml

  5. Now you need to sign the deployment ruleset. For that, you need a java keystore with a cert in it that is trusted on your computer.

    One way to generate a keystore is to use keytool.exe which is in C:\Program Files\Java\jre6\bin together with this command

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

    To extract the certificate from the keystore, use

    keytool -exportcert -keystore keystore.jks -alias selfsigned -file Cert.cer

    And then you can install this cert into the trusted root CA (Guide)

  6. If your certificate has an extension of .pfx, just rename it to .p12

  7. Use keytool to import the .p12 file

    Keytool -importkeystore -deststorepass password -destkeystore Keystore.jks -srcKeystore Cert.p12 -srcstoretype pkcs12 -srcstorepass password

    You’ll want to change the -srcstorepass to the password of your certificate

    You should get something that says "Entry for alias…". After the word alias is the alias of the keystore, which you will need. (long GUID)

  8. Now that you have a keystore with a trusted certificate in it, you can use that to sign the jar file.

    To do this, open a command prompt in the jdk bin folder and type:

    jarsigner -verbose -keystore keystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar selfsigned

    Change "selfsigned" to the alias you had from step 7

  9. Now, put the DeploymentRuleSet.jar file in one of these directories:

    • Windows: c:\Windows\Sun\Java\Deployment.
    • Mac, Linux, Unix: /etc/.java/deployment

That's it. Easy, huh?

You can verify if the DeploymentRuleSet is in place by going to the Java console in control panel and clicking the security tab. Click on “View the active Deployment Rule Set”

Sources

Please note that

If an active deployment rule set is installed on the system, the deployment rules take precedence over the exception site list.

Source

nixda
  • 27,634
1

Dont think you can use wildcard for the port number in the ruleset. According to the Oracle documentation, the port number must match exactly.

user499663
  • 11