New Tool: JavaRuleSetter for creating Devployment Rule Sets in Java
Deployment Rule Set
In the beginning, there was just the Deployment Rule Set to try to create white and black lists of Java applets executions. It was basically meant for administrators to block RIAs (Java applets and Java Web Start Applications, known collectively as Rich Internet Applications) by domain, certificates or name. This was great but quite difficult to implement. The steps to get this rule sets,were:
- Create a ruleset in xml. You have to know the syntax... for example:
- Compile it with Java (you would need the JDK).
- Sign it with a trusted certificate of your own. If you do not have one,you have to create it
- Copy it to a standard place in the system.

Exception Site List
This was created in January 2014 (just months after Deployment rules) for users. It does not require administrative privileges and it is all done via Java interface. It may be seen as a second way to whitelist, but not as powerful as Rule Sets, and as a first layer of defense for a single user.

For creating an Exception List, just run javaclp.exe and add a domain. It will work one way or another depending on the Java security configuration.

The file controlling the Exception Site List is stored in the user’s deployment location C:UsersusernameAppDataLocalLowSunJavaDeploymentsecurityexception.sites in Windows.
Rule Sets VS Exception Site Lists
So the main differences are:

Rule Sets allows to create a rule set and distribute to several computers. It wins over Exception Site Lists in case of conflict, and may be modified just by an administrator (not by the user). Another interesting thing is that Rule Sets works on a very early stage. If some day, security levels are defeated, exception site lists would be bypassed, but not the rule sets.
The whole picture
Java is complicated right now. This is the decision flow when executing and applet (or RIA, in general). This is the best way to understand how security has improved in just two years. The complete flow of Java applets executing or not depending on JRE version, Deployment Rules, Exception Lists, etc, is this. Deployment rules work on the second level from start, and Exception lists work on the fifth level.

The tool
Java Rule Setter is intended for users that are really worried about Java security (they all should) and have to work with it (if you don't, just uninstall it from the browser).
If you have no idea of what you are doing, just add a domain you need Java to run and click on "Apply changes". The program will create default settings and apply them. If you are a savvy user, you can use your usual keystore and sign the Deployment Rule file, and skip the whole process. Click on "Advanced mode" for more information.





The tool works in GNU/Linux and Mac OS X, although it has not been fully tested in those platforms.
We have created two versions, for Java 8 and Java 7. This tool is in alpha version, so it may contain some bugs. Please report so we can fix them.
To deeply get to know the Deployment Rule Set system and take full advantage of the tool, we recommend reading this official documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
More information and instructions are available here.