In our production env they have done some security patch update and new rt.jar file is used for this.
Do we require to recompile our java code for this new rt.jar file and deploy in server?
Or it is enough to restart the webserver?
It depends. It's safer to recompile your code with the new JAR.
One thing that can go wrong is the following. The Java compiler inlines the values of static final variables (as they are constants). Suppose that you have a class One that looks like this, inside some JAR file that you are using:
Suppose you have your own class Two which uses VALUE:
The compiler will replace the One.VALUE with the actual value 123 - it will not make class Two refer to class One to get the value. That means that if you replace class One with a new version:
and then run class Two without recompiling it, you will still see the old value 123 being printed!