• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to secure/protect your JSP application ?  RSS feed

 
alsoumahi alBatal
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi experts , assume you create a web jsp application and now you want to make it online. how to secure or protect your web application like disable viewing source code or make it only running in Microsoft explorer with no toolbar options ( F2 is disabled and inspect element is also disabled). how also encrypt the servlet classes so no decompile java classes can be occurred. I want to know how much security I can achieve fro my application.
 
Dave Tolls
Ranch Foreman
Posts: 2996
37
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You'll kill your application's usefulness if you do things like limit it to a particular browser.
And anyone that actually wanted to look at the code could in any case.  You are simply sending text over the http call, so there's not much you can do to stop someone looking at the response.

As for the servlet, since the end user will never get to see the class files then there's nothing you need to concern yourself about with that.

Is it just trying to prevent people seeing your code?
 
Tim Moores
Saloon Keeper
Posts: 3955
94
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As Dave said, preventing people from looking at your HTML and JavaScript is not possible.

If you're just starting out with web app security, you should start by reading the "Web applications and HTTP" section in the Security FAQ. Then you'll have a better grasp of what the issues are, and how to go about securing against them.
 
alsoumahi alBatal
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I undertsand of what you are saying about viewing the source code , but I have seen some web applications done in ASP that you cannot inspect the html element to view the source code . why I am trying to do that because I don't want anyone who is having an idea about JSP can find my servlets and do sql injection or whatever. how these people disable this functionality from web browser.

since the end user will never get to see the class files then there's nothing you need to concern yourself about with that


actually I am trying to sell my web application and distribute it so for that how can I secure my java classes from being retrieved to original source code. I have tried to use ProGuard and then check the classes after obfuscation process , it returns back with little bit change so someone if he set on it he can analyze and understand the code again. specially I cannot change the name of servlet classes because I need to link it to web.xml as below

here I don't want to obfuscate the "loginServlet" name to be xxx because "loginServlet" in my login form will not be exist any more.
please help me on this , how to secure my java servlet classes.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66258
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Very little (perhaps none) of what you are talking about provides any measure of security. Hiding the HTML provides no security. Hiding the names of servlets provides no security. You need to follow the advice of previous posters and learn what real security looks like. Links were provided. This includes using real authentication and authorization in the back-end code, protecting against script and SQL injections, and other measures.

Trying to alter the browser behavior is not only futile, it's ineffectual.
 
Paul Clapham
Sheriff
Posts: 22691
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
alsoumahi alBatal wrote:actually I am trying to sell my web application and distribute it so for that how can I secure my java classes from being retrieved to original source code. I have tried to use ProGuard and then check the classes after obfuscation process , it returns back with little bit change so someone if he set on it he can analyze and understand the code again.


And what security problems would exist if the purchaser had the source code to your servlets? What assets of yours would be damaged or lost in that case?
 
Dave Tolls
Ranch Foreman
Posts: 2996
37
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
alsoumahi alBatal wrote:... do sql injection or whatever...


You don't prevent sql injection by hiding stuff.
You prevent it by writing your database access code in the proper way (eg using prepared statements).
 
alsoumahi alBatal
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And what security problems would exist if the purchaser had the source code to your servlets? What assets of yours would be damaged or lost in that case?
. simply he can change the code or adjust it to what he needs and sell it to others as he is the owner of the program.
 
Paul Clapham
Sheriff
Posts: 22691
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
alsoumahi alBatal wrote:
And what security problems would exist if the purchaser had the source code to your servlets? What assets of yours would be damaged or lost in that case?
. simply he can change the code or adjust it to what he needs and sell it to others as he is the owner of the program.


But your licencing terms would prohibit that, wouldn't they? At the very least the other person wouldn't be the owner of the program.

As for adjusting the code to what he needs, why didn't you already do that before you shipped the product? Isn't it your job to give the customers what they need?
 
Paul Clapham
Sheriff
Posts: 22691
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me say that in the past I have worked with code purchased from other companies. This was code which I could see and change.

But did I consider reselling it to other businesses? No. I was in the wholesale distribution business and I didn't want to quit doing that and start being in the software sales and support business. If I had decided to resell it, then I would be competing with the original writers of the code who had a lot more experience with it along with a considerable sales and support force. I would have had to develop a similar organization which could sell and support the product, and I would have had to make changes which made the product better than the original version. All of that while fighting lawsuits from the owners of the product. Not many people would do that.
 
SunilK Chauhan
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As you mention that you have created one application and you want to sell it so far. Than how to make it more secure. Actually In JSP it's not possible to hide the source code from the browser view.

But you can do one thing that just use JSP files to view purpose only. Don't include any business logic inside. And yes one more thing that if you are using Spring like frameworks and JSTL tags, than you can generally hide your source code data within the block of JSP code.

User can only view the basic JSP part not all. So, you can use the JSTL tags inside but all the calculated parts should be in class files only.

Using this way you can make your sensitive data hide to the user on browser window.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66258
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SunilK Chauhan wrote:Actually In JSP it's not possible to hide the source code from the browser view.

This is untrue, or at best, misleading. The Java source code for the application, as well as the source of the JSP themselves (if placed properly within the application under WEB-INF) are not, repeat not, visible from the client browser.

The HTML generated from the JSP, along with any CSS and JavaScript loaded by the page, are visible. They have to be so the browser can use them.

But the Java and JSP source code are not visible to the browser.

Of course, if you give the whole application to someone, they could decompile the class files -- but that's not the same as the source being available via the browser.
 
SunilK Chauhan
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Source of the JSP page is not visible to the client window but one can view the runtime program of JSP in the browser with the debug mode as well.

We can easily view the JSP page code dynamically on runtime.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66258
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SunilK Chauhan wrote:We can easily view the JSP page code dynamically on runtime.

If the JSP page is properly placed under WEB-INF, then no, this is not true.

If the JSP page is placed in a public folder, that is a security issue and should be considered a major bug in the application.

Please see this article for how to properly structure Java web applications.
 
Dave Tolls
Ranch Foreman
Posts: 2996
37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SunilK Chauhan wrote:Source of the JSP page is not visible to the client window but one can view the runtime program of JSP in the browser with the debug mode as well.

We can easily view the JSP page code dynamically on runtime.


I think you are confusing the JSP page itself (with all the JSTL etc in it) and the output of the JSP page, which is HTML and Javascript on the client browser,

As Bear says, it should not be possible to access the JSP code.
But the output of that code is accessible, because if it weren't then the client would have nothing to work with.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!