Java Security Setting - Help Needed 1

[thefourthwall]

Hello,

Our desktops run XP. Java is also installed, the current release being update 27.

A small group of users runs a java-based app that seems to work well only when the Mixed code setting in the Java control panel is set to "Disable verification (not recommended)."

One can navigate to it from Control Panel by opening the Java Control Panel, clicking Advanced > Security > Mixed Code.

That setting is retained on a per-user basis only, it appears.

I am looking to make this a per-machine setting instead of per-user; is this possible? Yes, I am aware of the security vulnerability here, but these users are processing company-internal data, with no internet access.

Thanks for your help,

thefourthwall

 

[GeekyDeaks]

Hi,

You will need to configure a system wide deployment.properties file.

Check the following document for details on how this is done:

http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/properties.html

Cheers,
Scott

 

[GeekyDeaks]

Just checked and the line you are interested in is as follows:

deployment.security.mixcode=DISABLE

So you need to have this in the system wide properties file. Just open the user one first to take a look at what is in there. You might need to remove the deployment.properties file from people who have already logged into the machine for this to take effect. I'd have to try this myself to be 100% sure.

Cheers,
Scott

 

[GeekyDeaks]

This link has more up-to-date settings for the properties file - it was a little hidden...

http://download.oracle.com/javase/7...s/deployment/deployment-guide/properties.html

Cheers,
Scott

 

[GeekyDeaks]

Ok, so I had a play with this myself. You have to be *very* precise with the URL for the properties file, so if it's a local file you need to give it file:///<path>

As an example this is what I used:

The file 'C:\Windows\Sun\Java\Deployment\deployment.config' has the following content:

deployment.system.config=file:///C:/Program Files/Java/jre7/lib/deployment.properties

The file: 'C:\Program Files\Java\jre7\lib\deployment.properties' has the content:

deployment.security.mixcode=DISABLE
deployment.security.mixcode.locked

This overrides the users settings and prevents them from changing them.

Hopefully this helps.

Cheers,
Scott

 

[thefourthwall]

Hi folks,

Thank you so much for your support! I just finished imaging a pc and will give this a go now. Will report back with my findings this afternoon, I hope.

 

[thefourthwall]

Good morning Scott,

It took some trial and error (due mainly to my typing errors), but I was able to implement your solution on one PC - it works! I was rather lost, and your assistance was absolutely vital. Thank you.

From the documentation links you provided, I think it will be necessary to delete the users' "<User Application Data Folder>\Sun\Java\Deployment\deployment.properties" files, and then copy over the deployment.config and deployment.properties files and restart the PC's. But that should be the easy part.

Thanks again,
Lawrence

 

[GeekyDeaks]

Hi Lawrence,

Whilst playing around, I found that you can override the user settings with the .locked entry, even if they have already created a personal deployment.properties file. So if you look at my example above, I used the following:

deployment.security.mixcode=DISABLE
deployment.security.mixcode.locked

The second one causes the deployment.security.mixcode setting to override the user settings. You can see the options greyed out in the control panel. This will actually prevent the user from changing the settings on the machine, so you may want to do this anyway to prevent them inadvertently modifying it. It worked for me without a reboot or even a logout, just a restart of the java application. It also means you don't have to delete the users deployment.properties file.

Cheers,
Scott