Topics and trends related to the Java ecosystem with occasional random rants.

  • December 14, 2017

Help for Signing Deployment Rule Sets

James Connors
Principal Solutions Consultant

Among other benefits, the Java SE Advanced offering provides customers with access to security patches for Java releases that are no longer publicly updated.  And as a result, many of these organizations have become diligent -- deservedly so -- in keeping up to date with Oracle's quarterly cadence.  If you are one of those customers who falls into this category, you may have noticed that the most recent October 2017 updates for Java 6 (6u171) and Java 7 (7u161) will no longer include a Java Plugin.

Does that mean future Java 6 and 7 updates won't be able to run browser-based applications?  The answer is no, these releases can still run Java web content, but they must be launched with the latest Java 8 update configured with Deployment Rule Sets.  Briefly, Deployment Rule Sets enable you to control the version of the JRE that is used for specific applications.  In this scenario, the Latest (most secure) Java 8 update is launched when a user clicks on a link to start a web application.  The Java 8 plugin will consult the Deployment Rule Set, which contains a set of rules, to determine what to do next,  If a rule exists to direct your application to run a specific version of Java, it will do so.  If no rule exists, the rule set can be configured to block the application, thus assuring only those applications you trust can run.

The purpose of this article is not to introduce you to Deployment Rule Sets; there are other excellent resources including this entry entitled Introducing Deployment Rule Sets.  Rather, the discussion today focuses on a critical step in creating rule sets, namely the requirement that the rule set be signed.  The aforementioned article was written in 2013 when Deployment Rule Sets were first introduced.  Java web application security has been further ratcheted up since, and the rule set signing section in the article only glosses over the steps required.

To help facilitate the signing of Deployment Rule Sets, the following GitHub project has been created:


Along with documentation and a sample ruleset, it includes Windows Powershell script which automates the process.  You can check out the project's README for further info.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.