This topic describes system and user properties that can be set to configure applications deployed with Java Web Start or Java Plug-in.
The deployment.properties file is used for storing and retrieving deployment configuration properties shown in the Java Control Panel. The properties are also used for customizing runtime behavior for both Java Plug-in and Java Web Start.
A user-level deployment.properties file always exists. Its location, which is non-configurable, is described in User Level. There can also be an optional system-level deployment.properties file. If it exists, its location is determined by a System Administrator through the deployment.config file, described in System Level.
21.1.1 User Level
The following table shows the location of the user-level deployment.properties file.
Table 21-1 Location of the User-Level Deployment Configuration File
Operating System
Location
On Windows, is typically C:\Users\ username . On Solaris and Linux, $ is typically /home/ username . On OS X, the tilde (
) represents the home directory, which is typically /Users/ username .
The following locations provide examples for each operating system:
For user jsmith running on Windows 7, the deployment.properties file would be located in the following directory:
For user bjones running on Solaris or Linux, the deployment.properties file would be located in the following directory:
For user jdoe running on OS X, the deployment.properties file would be located in the following directory:
21.1.2 System Level
The deployment.config file is used for specifying the system-level deployment.properties in the infrastructure. By default no deployment.config file exists, so no system-wide deployment.properties file exists. If the deployment.config file exists, it is located in one of the directories shown in the following table.
Table 21-2 Location of the System-Level Deployment Configuration File
Operating System
Location
$ is the location of the JRE from which the deployment products are run. Deployment products include Java Web Start, Java Plug-in, Java Control Panel, and others.
The deployment.config file contains two properties: deployment.system.config and deployment.system.config.mandatory .
The deployment.system.config property is the URL to the system (enterprise-wide) deployment.properties file. This property can be used by system administrators to centrally administer or «lock-down» user-specific configuration settings. For local files, use the file protocol in the URL, for example, file:///C:/Windows/Sun/Java/Deployment/deployment.properties .
If the format for the file protocol that is shown in the example does not work for you, try one of the following alternative formats:
file\:\\C\:\\deployment.system.properties
file:\\C:\\deployment.system.properties
file://\\C:\\deployment.system.properties
file:/C:/deployment.system.properties
The deployment.system.config.mandatory property is a boolean. If set to true , the deployment.properties file that is pointed to by the deployment.system.config property must be found and successfully loaded, otherwise, nothing is allowed to run. If the property is set to false , an attempt is made to find and load the deployment. properties file that is pointed to by the deployment.system.config property. If successful, the file is used, otherwise, the file is ignored. The default for the deployment.system.config.mandatory property is false .
21.2 Deployment Configuration Properties
The following tables describe the properties that can be set in the deployment.properties file.
Any system deployment property, for example SomeKey=SomeValue , can be locked by including another key, SomeKey.locked . The key SomeKey.locked does not require a value, when the key is present, the property SomeKey=SomeValue is locked so that the user cannot change it. If a system deployment property is not locked, then a user is allowed to change it.
21.2.1 Infrastructure
Table 21-3 Configuration Properties Related to Infrastructure
Property Key
Type
Default Value
Description
$USER_HOME + File.separator + cache
User-level cache directory.
System-level cache directory.
$USER_HOME + File.separator + log
User-level log directory.
21.2.2 Certificate stores and policy files
Table 21-4 Configuration Properties Related to Certificate Stores and Policy Files
Table 21-5 Configuration Properties Related to Security Access and Control
Property Key
Type
Default Value
Description
Security level setting. The following values are valid:
HIGH : Applications that are signed with a valid certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. Applications are also allowed to run with security prompts when the revocation status of the certificate cannot be checked. All other applications are blocked.
VERY_HIGH : Applications that are signed with a valid certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked.
Set to true to run applets or Java Web Start (JWS) applications. Set to false to block applets and JWS applications from running.
Setting for insecure JRE prompt. The following values are valid:
NEVER : Untrusted content always runs with the default JRE.
PROMPT : Users are prompted before using insecure JRE versions, and are shown warning dialogs
Set to true to prompt users to update the JRE when an out-of-date JRE is found on their system. Set to false to suppress the prompt.
Note: To ensure that the expiration check is disabled, use the -userConfig deployment.expiration.check.enabled false option with the javaws command. If this property is changed in the deployment.properties file, open the Java Control Panel before starting an application to ensure that the native cache is synchronized with the file. Otherwise, the change might be ignored the first time an application is started.
Set to true to allow users to grant permissions to applets and JWS applications. Set to false to block users from granting permissions.
Set to true to allow users to grant permissions to certificates that are not issued by a CA in the Root/JSSE CA certificate store. Set to false to block users from granting permissions.
Set to true to enable JSSE HTTPS certificate verification to show host-mismatch warnings. Set to false to suppress the warnings.
Policy file that contains the ceiling policy of permissions granted to trusted applications and applets. The default is all permissions. Use this property to configure a lesser set of permissions.
Setting for mixed mode. The following values are valid:
ENABLE : Enables the software to test for mixing trusted and untrusted code and, when potentially unsafe components are detected, raises a warning dialog.
HIDE_RUN : Suppresses the warning dialog and, if potentially unsafe components are detected, behaves as if the user had clicked Run in the warning dialog — the applet or application continues running with some added protections.
HIDE_CANCEL : Suppresses the warning dialog and behaves as if the user had clicked Cancel in the warning dialog — potentially unsafe components are blocked from running and the program may terminate.
DISABLE (not recommended): Disables the software from checking for mixing trusted and untrusted code, leaving the user to run potentially unsafe code with no warning and without the additional protections.
true if the sandbox has awtShowWindowWithoutWarning.
Set to true to prompt the user to accept the JNLP API security dialogs.
Setting for the prompt to run self-signed code in the sandbox. The following values are valid:
PROMPT : Prompt user to allow the self-signed app to run in the sandbox.
NEVER : Block all self-signed content.
Setting to enable users to turn off future prompts for a signed app running in the sandbox. The following values are valid:
PROMPT : Prompt user to allow the app to run and provide information on the certificate used to sign the app. The user can choose to turn off future prompting for this application.
NEVER : Block any content from running unless it asks for and is granted all permissions.
Support for blacklisting signed JAR files that contain serious security vulnerabilities. This property is used to toggle this behavior. For more information see Blacklist Feature.
Setting for revocation checks. The following values are valid:
PUBLISHER_ONLY : Checks only the certificate that the publisher used to sign the application.
ALL_CERTIFICATES : Checks all certificates in the certificate chain.
NO_CHECK (not recommended): Suppresses the check for certificates that have been revoked.
Specifies whether Online Certificate Status Protocol is enabled.
Specifies a URL string pointing to an OCSP response server.
Points to a OCSP response signer certificate subject name.
Specifies whether to use certificate revocation list.
Specifies a URL in the Certificate Revocation List to perform a certificate validation.
Acceptable time difference, in seconds, between the system clock and the clock on the server used for revocation checks. If the property is not set, or the value is negative, the default of 900 seconds (15 minutes) is used.
Maximum time, in seconds, that the system attempts to connect to the server for revocation checks before timing out. If the property is not set, or the value is negative, the default of 15 seconds is used. To never time out, set the property to 0.
Normally Plug-in and Web Start install an Authenticator to handle communication with Authenticating web pages or Authenticating proxies. This is the default behavior (true). This option can be used to turn the normal behavior off if, for example, an application communicates directly with an authenticating web page and needs to install its own Authenticator.
21.2.4 Networking
Table 21-6 Configuration Properties Related to Networking
Property Key
Type
Default Value
Description
3 for PROX_TYPE_BROWSER
Type of proxy that should be used. The following values are valid:
