Back in February I wrote a post regarding using Oracle Deployment Ruleset to control the version of Java that executes a given jar file on a given website. Since that time, you may have discovered that applying this to a jnlp file is tricky at best. The problem here is that Internet Explorer downloads the jnlp file to your Temporary Internet files before executing it. As a result, the location it is launching from is not the online url, but the local jnlp file. It may be technically possible to find the certificate hash of each jar file referenced in the jnlp file and add these to you deploymentruleset.jar file but I have not tested this.
As with most Java applets, problems begin to occur when a version of JRE is installed that is higher than the version that the applet is designed for. At first what I tried to do is run a ProcMon on a computer with just the required version of Java installed.
I have seen some discussion about requirements for using a certificate generated from Active Directory Services for signing the DeploymentRuleset.jar file. This post is intended to showcase how I was able to do this…this may or may not be the only way or the best way 🙂
1. The certificate template must have the private key exportable and must be usable for code signing.
2. The certificate chain must be in the trusted root store of the user running JRE in the browser
3. The certificate chain must be verifiable via OCSP responder or revocation list.
4. A Ruleset.xml file … this post doesn’t address creating this file…
In Java 1.7 Update 71, Java 1.7 Update 72 and Java 1.8 Update 25 Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA.
<id location="*.javatester.org" >
<action permission="run" version="1.6*" >
<action permission="run" version="1.6*">