• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

Java source code protection

 
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, has anyone tried to do this with ahead of time compilation like what Excelsior offers with its Excelsior JET? If an application is written using Spring or needs to run in a container such as Tomcat or GlassFish, is the whole thing going to be compiled into an executable such as .lx for Linux? What are your experience using Excelsior JET or any other alternatives?
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My first question would be: why do you think you need to do this? What are the attacks you're trying to guard against? Keep in mind that web app class files are not distributed in the same way class files for applets or desktop apps are distributed.
 
Mike Cheung
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:My first question would be: why do you think you need to do this? What are the attacks you're trying to guard against? Keep in mind that web app class files are not distributed in the same way class files for applets or desktop apps are distributed.


I need to come up with a solution that protects the source code from being leaked. Am researching for a way to do this for Java. This is for a server and desktop based application, not web based solution.
 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Where do you see the difference between a web app and a server app? In neither case are class files distributed ;are you trying to guard against rogue sys admins?

Java source code in some form can always be recovered from class files. Tools like ProGuard can make it harder, but a determined attacker will be able to get around that.
 
Marshal
Posts: 3882
542
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mike Cheung wrote:I need to come up with a solution that protects the source code from being leaked.


Is this a security concern or a commercial concern?

Are you looking for a way to protect your application so that it can not easily be run on an unauthorized platform? Are you worried that the integrity of your application may be comprised if someone can easily reverse-engineer your application and see what it is doing? Are you thinking someone my steal your code or ideas and use them in a competing application?
 
Mike Cheung
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Where do you see the difference between a web app and a server app? In neither case are class files distributed ;are you trying to guard against rogue sys admins?

Java source code in some form can always be recovered from class files. Tools like ProGuard can make it harder, but a determined attacker will be able to get around that.


The difference I see should be none. But in cases where the web app needs to run in a container like Tomcat or GlassFish, which I think are distributed as JAR files as well (ie no class files), I'm not sure if there are issues with compiling the whole container as a single platform specific binary executable using tools like Excelsior JET.

Ron McLeod wrote:Is this a security concern or a commercial concern?

Are you looking for a way to protect your application so that it can not easily be run on an unauthorized platform? Are you worried that the integrity of your application may be comprised if someone can easily reverse-engineer your application and see what it is doing? Are you thinking someone my steal your code or ideas and use them in a competing application?


There are actually 2 reasons:
1) Primarily more of a commercial rather than security concern, against potential reverse engineering or someone seeing what the code does. I know there's nothing called impossible but should be difficult and even if someone can see what's going on under the hood all they get is binary instructions, and not the actual high level logic.
2) Second reason is to make it easy for end user to use so they don't need to worry about installing a JVM and therefore which specific version, and various other things like libs, etc. All they get is one single .lx binary file in order to run in a Linux environment.

 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

But in cases where the web app needs to run in a container like Tomcat or GlassFish, which I think are distributed as JAR files as well (ie no class files), I'm not sure if there are issues with compiling the whole container as a single platform specific binary executable using tools like Excelsior JET.



But the servlet container (and the jar files that make up your app) are not distributed, they're installed under your control on a server - are you saying you distrust your own sys admins? It's not unreasonable to think about that, but if that's a concern, I'd likely address other matters (like data) long before tackling code issues. Or is this a scenarios (rare though it is) where the web app is actually distributed to the client?

I can't speak to the class of tools that you have identified as the solution (which convert to native code, and get rid of the JVM). I've considered ProGuard to be sufficient at those times where I wanted to protect apps for distribution.
 
Mike Cheung
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:

But in cases where the web app needs to run in a container like Tomcat or GlassFish, which I think are distributed as JAR files as well (ie no class files), I'm not sure if there are issues with compiling the whole container as a single platform specific binary executable using tools like Excelsior JET.



But the servlet container (and the jar files that make up your app) are not distributed, they're installed under your control on a server - are you saying you distrust your own sys admins? It's not unreasonable to think about that, but if that's a concern, I'd likely address other matters (like data) long before tackling code issues. Or is this a scenarios (rare though it is) where the web app is actually distributed to the client?

I can't speak to the class of tools that you have identified as the solution (which convert to native code, and get rid of the JVM). I've considered ProGuard to be sufficient at those times where I wanted to protect apps for distribution.


Um... actually I want to distribute it so the whole thing needs to be packaged up including the container itself. The end customer only needs to start it using one compiled binary file, rather than installing the container and loading it up. Does ProGuard do this also? And what's the pricing like? I tried looking for pricing but couldn't find anything stated.
 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ProGuard is a code obfuscator, nothing more; it's free to use.

OK, if you will actually ship the web app itself to clients, then you're right that the same concerns apply as for desktop apps. I'm not sure what tools are available to facilitate this, or what they might be able to do.
 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As I see you need few scripts(.sh and bat) packed,

1. for installing(moving files to the proper directory). here we have some script that points to a server and file names, and it ftps the files and installs it
2. For executing your application. Here we use this to set the envirorment and invokes the application.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic