Hi guys,
This might sound a bit weird (and even some think I'm wasting my time), but anyways, I'll try to ask here
I'm doing a master thesis on "Web Security: Web Content Security and Distribution". I have a totally signed and encrypted web application (all the .class files, configuration files, jar files, any files - are encrypted). Now I need to write a sort of "plugin" for
tomcat, so that it decrypts the bytecodes before loading any file.
I've managed to extend the WebappClassLoader to decrypt all the class files in my webapp before loading them into the JVM. However, I'm having troubles implementing the same stuff for regular files,
jsp files, and jar files.
Please please, any suggestions on the design (where would be the best place to decrypt, what tomcat classes would be the best override) or implementation are highly appreciated!
Maybe I need to implement a custom DirContext, extending org.apache.naming.resources.FileDirContext and storing my files decrypted in some temp location and virtually mapping them? But in this case the whole notion of "security" would have no point.
Or maybe I need to implement a ProxyDirContext, storing all my files on a different, secure proxy, and have a strong authentication (public-key auth, rsa?) between tomcat and the proxy and let tomcat fetch the files securely from the proxy?
Or just write a couple of custom plugins, as I did with the classLoader?
Hope to hear from you guys soon!
Btw, this is my first message, and hope it's not too informal
Regards,
Ikrom