How to Use Deployment Ruleset
The Deployment RuleSet (DRS) feature for IcedTea-Web allows you to:
-
Create allow- and block-listings.
-
Configure default rules .
-
Configure security exceptions for Applets and Web Start.
DRS is designed to be deployed by your central IT department into a jar file (DeploymentRuleset.jar
), that contains an XML with the rules.
Azul implementation of DRS
The SA version of Azul’s IcedTea-Web supports the requested DRS-features requested by our customers and retain compatibility with the official DRS XML format and is compatible with Java 6 and later.
Installation
Install the SA-version of IcedTea-Web as described here.
Configuring the Deployment Ruleset
-
Find your existing ruleset, normally in
C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar
. -
Or create a new ruleset:
-
Create a file
ruleset.xml
, see the examples below. -
Create the
DeploymentRuleSet.jar
withJAVA_HOME\bin\jar cf DeploymentRuleSet.jar ruleset.xml
. Please note that ruleset.xml should be located in the top-level folder. -
Alternatively, "zip" the file
ruleset.xml
and rename toDeploymentRuleSet.jar
. -
Place in
C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar
.
-
Ruleset Examples
-
Run without security warnings
-
URL based rule
<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="run" version="1.8*" force="true" /> </rule> </ruleset> -
Certificate based rule
<ruleset version="1.1+"> <rule> <id> <certificate hash="A0A30C69631D2A9E3F82401ABD83107A813FAA1B1638746AFA523AA55563417C" /> </id> <action permission="run" version="1.8*" force="true" /> </rule> </ruleset> -
When the JNLP has no href
<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" matchcodebase="true" /> <action permission="run" /> </rule> </ruleset>
-
-
Run with a specific JRE version
-
Old JRE 8 update 292
<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="run" version="1.8.0_292" force="true" /> </rule> </ruleset> -
Old JRE 7 update 292
<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="run" version="1.7.0_292" force="true" /> </rule> </ruleset> -
Run with 32bit JVM. The "32bit" in the ruleset is just a label. The corresponding entry in
jres.txt
will decide the bitness.<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="run" version="1.8.0_292_x86" force="true" /> </rule> </ruleset>With a corresponding
jres.txt
:1.8.0_292_x86,C:\Users\dmitry\binaries\zulu8.54.0.21-ca-jre8.0.292-win_x86 1.8.0_292,C:\Users\dmitry\binaries\zulu8.54.0.21-ca-jre8.0.292-win_x64
-
-
Block a URL
<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="block" /> </rule> </ruleset> -
Fallback rule: this must be the last rule in the file. It is triggered for any URL that does not match. The default behavior is as if no ruleset file was present. The most common usage will be to block all URLs that are not allowed.
<ruleset version="1.1+"> <rule> <id /> <action permission="block" /> </rule> </ruleset> -
Use an alternative
javaws
from the reference JRE. This is designed to allow fallback to a co-installed old version of Webstart. It looks forjavaws
in the specified JRE and passes the JNLP URL through:<ruleset version="1.1+"> <rule> <id location="https://docs.oracle.com/" /> <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/> </rule> </ruleset> -
Wildcards are allowed in the host name. This is commonly used for subdomains, but is also useful when the hostname is indeterminate. This is common when the JNLP sits on an appliance or a local server in kiosk or retail solutions:
<ruleset version="1.1+"> <rule> <id location="https://*:2443/forms.jnlp" /> <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/> </rule> </ruleset> -
Full ruleset example:
<ruleset version="1.1+"> <rule> <id location="https://docs.google.com/" /> <action permission="run" version="1.8*" force="true" /> </rule> <rule> <id location="https://docs.oracle.com/forms/" /> <action permission="run" version="1.7.0_292" force="true" /> </rule> <rule> <id> <certificate hash="A0A30C69631D2A9E3F82401ABD83107A813FAA1B1638746AFA523AA55563417C" /> </id> <action permission="run" version="1.8*" force="true" /> </rule> <rule> <id location="https://docs.oracle.com/test" /> <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/> </rule> <rule> <id /> <action permission="block" /> </rule> </ruleset>
Troubleshooting
To enable logging, add the following lines to the config file C:\Users\$USER\.config\icedtea-web\deployment.properties
:
deployment.log=true
deployment.log.file=true
The log files will be created at C:\Users\$USER\.config\icedtea-web\log
. You can find the related log entries in the lines starting with drs:
.
For a quick check from command line to see if the DRS ruleset is applied as expected, you can add the -verbose
option:
javaws -verbose -jnlp <URL or jnlp file>